guloader | ed3b929652834dc47ce5fcccd629de67024a303a01e2212b9e9f474388226e10

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
Size

924KB
MD5

9d14770a66e06aebef0e127c007d5321
SHA1

c6e91ed004b01f5c571878f708f95adc4e3438bc
SHA256

ed3b929652834dc47ce5fcccd629de67024a303a01e2212b9e9f474388226e10
SHA512

d00fbe3a30cb943719f733b86ef12b71f74ba6802f93696bf4e01dbf01f57d7d026e8ce3eaf1131e169186113c53d4f7c8aa434a9f3d2af94a440e7ea6255581
SSDEEP

24576:V0fwt2jbpDHtZtrwz4gl32m1abiDLTmAYu+oA0Ar2U:iot2jbpv9Zgl3rQkMJ97

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
tonicables.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
Key opened	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
Key opened	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	drive.google.com
63	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	checkip.dyndns.org
77	reallyfreegeoip.org
78	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4548	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
4548	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\komplementrt\halstrkldernes.dds	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
4548	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4548	2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe	106
PID 2008 wrote to memory of 4548	2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe	106
PID 2008 wrote to memory of 4548	2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe	106
PID 2008 wrote to memory of 4548	2008	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe	106

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe

C:\Users\Admin\AppData\Local\Temp\DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL AWB - COMMERCIAL INVOICE & BILL OF LADING.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsqF74D.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqF74E.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrFBE5.tmp

Filesize
17B

MD5
e3e52271695d789252499380bab83be2

SHA1
a87dda09a98f8ed7ada5db378914743c76acee6f

SHA256
96f0ffcdf2308d036f51f1fad5fb1e501f7137ab3c010c165210530c105d9be4

SHA512
57f2aa081f3b2c756861dbab5296c1f143026b2f178b45746411fa6e0852fbf0106415801ae99d5d30fecc944296b453fb1b258e9df2f6669c0a8fb6d4a780aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvF8A6.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF944.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF944.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF944.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF944.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF944.tmp

Filesize
44B

MD5
f48cfa035479c603f7f13a21780cc97f

SHA1
4a34593a370ba98c29902e86f0da5a10569c5dda

SHA256
dec26c9f4e96ab8c6823235a02f5e50a017446d59670a8b9d8c1af7fc703b2c5

SHA512
a9ab6874b426c0ef214bf5f78cf56f3c490b1d7ed3e680ba34630c1f2a1ba6584b3582a25c1cc0458d84a5b59032c2aab87b3fccf882093dfadaec88018c1494

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFA2F.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFA2F.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFA2F.tmp

Filesize
56B

MD5
e65ea5be30db199e3b36fe386457ab86

SHA1
b9c54d16e2ef1e80ac23da4926b131583f419b2a

SHA256
809920fc68df5d2f3d67146e7764f7e111002a82a769b0034ff3ec5f601591bf

SHA512
03849eca78b880c022374f970d23edcc9d75830f3eec05e7c0fd55996ac43abec916866933a7f57106c877ff0bde4ec1e08e89bdcb61ebcaf8bf864a78701140

Download Submit
memory/2008-585-0x0000000077B61000-0x0000000077C81000-memory.dmp

Filesize
1.1MB

Download
memory/2008-586-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/4548-587-0x0000000001A50000-0x0000000007050000-memory.dmp

Filesize
86.0MB

Download
memory/4548-588-0x0000000077B61000-0x0000000077C81000-memory.dmp

Filesize
1.1MB

Download
memory/4548-589-0x0000000077BE8000-0x0000000077BE9000-memory.dmp

Filesize
4KB

Download
memory/4548-590-0x0000000077C05000-0x0000000077C06000-memory.dmp

Filesize
4KB

Download
memory/4548-603-0x00000000007F0000-0x0000000001A44000-memory.dmp

Filesize
18.3MB

Download
memory/4548-604-0x0000000077B61000-0x0000000077C81000-memory.dmp

Filesize
1.1MB

Download
memory/4548-606-0x0000000072A5E000-0x0000000072A5F000-memory.dmp

Filesize
4KB

Download
memory/4548-605-0x0000000001A50000-0x0000000007050000-memory.dmp

Filesize
86.0MB

Download
memory/4548-607-0x00000000007F0000-0x0000000000838000-memory.dmp

Filesize
288KB

Download
memory/4548-608-0x0000000039EB0000-0x000000003A454000-memory.dmp

Filesize
5.6MB

Download
memory/4548-610-0x000000003A4A0000-0x000000003A53C000-memory.dmp

Filesize
624KB

Download
memory/4548-611-0x0000000072A50000-0x0000000073200000-memory.dmp

Filesize
7.7MB

Download
memory/4548-612-0x0000000072A5E000-0x0000000072A5F000-memory.dmp

Filesize
4KB

Download
memory/4548-614-0x000000003A9B0000-0x000000003AB72000-memory.dmp

Filesize
1.8MB

Download
memory/4548-615-0x000000003AB90000-0x000000003ABE0000-memory.dmp

Filesize
320KB

Download
memory/4548-616-0x0000000072A50000-0x0000000073200000-memory.dmp

Filesize
7.7MB

Download