guloader | d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
10-02-2025 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.24375.4894.exe
Size

1.0MB
MD5

7cb641309b4799eb80d2e7b1d1bb270f
SHA1

4f3f3727b0a2834237e0f6746909b6e4dc2aaa28
SHA256

d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c
SHA512

5c0abf7f4ce789bfb910f207eabeaf121a98c6e6808c2da3498a676dd53c1f1f7780e1ba10bcd54c39dc0c73f88c1120b96b9fe5919252a17c1e0462cf063cc0
SSDEEP

24576:NtLjGGJ053ut4zYZZpFHSLdWcWLT5gUNbSx312z1mbfa20:NtL1J04ZXH21Mg2w3ymbfl0

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.leedelectronics.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe
2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org
16	reallyfreegeoip.org
17	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3336	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe
3336	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.24375.4894.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3336	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 3336	2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe	32
PID 2264 wrote to memory of 3336	2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe	32
PID 2264 wrote to memory of 3336	2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe	32
PID 2264 wrote to memory of 3336	2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe	32
PID 2264 wrote to memory of 3336	2264	SecuriteInfo.com.FileRepMalware.24375.4894.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Alpha.ini

Filesize
47B

MD5
b895d576d6637a778b387b2fca0f56ec

SHA1
e78d2be4d94673d612c16d29c330bb0c78778429

SHA256
bfec1e97ed5d34825521d60b98986d1564cd159b4d1f9569eae4c3464d2f5c47

SHA512
b4a771d1b517a2776ba440f79f168306c244df1a6de1966313157154d8d52bead8131b95f846c2f55c15382e04284fffc6cf6abf3f6fcfcb259df2ea58d769e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdC566.tmp

Filesize
60B

MD5
aa101b58780fd9927e16ea976931119d

SHA1
d9bc57d00cdde08d1139dbb92e04ef1ab90f330d

SHA256
97a61a72a4efd43ce1c50df64c0449b0ac41a5178b11896d1446a7f9bb9a5b7a

SHA512
5d21a58b0b6fe5c98b548d0a642d226b784701847ff93e4f819e621a33e640432f1cdf3c3d58a4d173017a142a31c2471c4d667432790b4a13548999bd8ed2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC506.tmp

Filesize
71B

MD5
fa03f87568cc498e445851fdc25e6650

SHA1
0e22fbef177db71831aad63f1185f3886a0e440a

SHA256
70575dfd32af5bdea9244096f613f64ddbed3f1ccab2f30764bbfe47f01f3c3c

SHA512
1d2ebe36663d54525c0980cc36f967c584e3849b8dd6e77f0092157879b1ebdbed1d0e50f08c41365cca356dca3df41f21f7725fe1665d5ffd7826ff5b1fa5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC506.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC506.tmp

Filesize
37B

MD5
c641bfa28a71f86301ed9e81931da24c

SHA1
59770ef0e9c2658e6aacd708615767660a2dec66

SHA256
df9ef051e1940f576446c4ef6d4ee0f201488c4c0485c26ef2bd3923b3e6a761

SHA512
e2e24f388600ca77ea717c8ebf382ff961cf20ae054d807526dddf28e5a328cbacfb57a6d00ad43afca0a4bc00ebb3f42a169de1fa5787265f468fe9056d093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC556.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC577.tmp

Filesize
56B

MD5
5fba144da46d7840a031c5c9e3436efd

SHA1
b1a3f5a8b3edcbeed033e69dd888c6ca20901b04

SHA256
e42e07324eecf27aa8b9c2ce5517e122ef5d309a9b887e8b5a46b1f5feb066c9

SHA512
52b087ea96434f9cee6aad677cab44e5dffa43879bc601d7e6a567839530363eb93d207b23c1fe8335fd09c8bf58c199ef001ca6560641070350989766c7d23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC597.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Public\Desktop\Varda.ini

Filesize
33B

MD5
340ad700cf73b73ea2313c044d40ea9a

SHA1
9b90cc3147d140fa936e308c2c320bdc385da93a

SHA256
55a2b8f5ef1d17023fd8245e69830cc961c0ce629eddc7ac1043c288cb3915b5

SHA512
4b31d10b80ae71197ac367c868569949224a4cd542bf0e9c188b816348ec8958f952525f939c827bddc8610f268dd12e310d6d2fc99071c741b3a38e062542b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC545.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/2264-597-0x0000000004110000-0x0000000005223000-memory.dmp

Filesize
17.1MB

Download
memory/2264-598-0x0000000077A21000-0x0000000077B22000-memory.dmp

Filesize
1.0MB

Download
memory/2264-599-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/3336-600-0x00000000014F0000-0x0000000002603000-memory.dmp

Filesize
17.1MB

Download
memory/3336-601-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/3336-605-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/3336-622-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/3336-623-0x00000000014F0000-0x0000000002603000-memory.dmp

Filesize
17.1MB

Download
memory/3336-625-0x0000000000480000-0x00000000004C8000-memory.dmp

Filesize
288KB

Download