guloader | d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-02-2025 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.24375.4894.exe
Size

1.0MB
MD5

7cb641309b4799eb80d2e7b1d1bb270f
SHA1

4f3f3727b0a2834237e0f6746909b6e4dc2aaa28
SHA256

d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c
SHA512

5c0abf7f4ce789bfb910f207eabeaf121a98c6e6808c2da3498a676dd53c1f1f7780e1ba10bcd54c39dc0c73f88c1120b96b9fe5919252a17c1e0462cf063cc0
SSDEEP

24576:NtLjGGJ053ut4zYZZpFHSLdWcWLT5gUNbSx312z1mbfa20:NtL1J04ZXH21Mg2w3ymbfl0

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.leedelectronics.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe
2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	reallyfreegeoip.org
20	reallyfreegeoip.org
14	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2284	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe
2284	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.24375.4894.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2284	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	SecuriteInfo.com.FileRepMalware.24375.4894.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2284	2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe	31
PID 2336 wrote to memory of 2284	2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe	31
PID 2336 wrote to memory of 2284	2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe	31
PID 2336 wrote to memory of 2284	2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe	31
PID 2336 wrote to memory of 2284	2336	SecuriteInfo.com.FileRepMalware.24375.4894.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.24375.4894.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdB0FE.tmp

Filesize
21B

MD5
2dc5ae451f6175ae513bed5c4714d5ee

SHA1
4f47723723e7643a5b4c67f5f9d68cd834f80a4f

SHA256
180f6fc17f1d6e7d0878868f1643dc8c340f457eac0d6fc3680a95f1f9e7e54e

SHA512
9140fa690eca23bdf03d3058e6527c56cd51089b394ef681979f8e63cdc183fa942aecfd2d1061f50966fb998a5c0999b97b5b3a9af6aff1ce1d4826cfd42887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB0FE.tmp

Filesize
24B

MD5
effa3542d2defff85aeeb1a54276c6bb

SHA1
5d10bff92a69d54f065550910baed5b55febaa80

SHA256
10c81101c2450f3974b06e0e2ec7f84c5f1fcce2ebd790baa07860053bca5c04

SHA512
ea0ad475d212d5b6aa756cd8eca9b8317349727b4780e204394722a6665958c1eab7528b2f0d0ce0ca044c4ee5e03e29b86696acc64dd60ffbc4bd643f794600

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
27B

MD5
25f205f6839d0787565c29c38a66e75e

SHA1
a2fbad8a011fe9e90a71727905ab119dd3c39b0f

SHA256
e2b210499b723d06146d7e4b169a4ae664b9f157a7ce9fdf76f763acad5163b2

SHA512
24b55c8bc4a2a7cd3e4360e0bdbd9dfdb8c81a5cc8b8e8205916064ebbcb9e83ffb86e6d42dc1325c93539625b66540353180119469b31d2a01b6c7300e9e495

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB0CF.tmp

Filesize
45B

MD5
f819a1fc1062767b3b442dc7cef52097

SHA1
51ed1c2757654d7c27d426c3d6f85daaebf58062

SHA256
c84b063ae6807b3d46d250632afae9cd99a534b53c716dbffb0caf8a0f5e21ad

SHA512
6e171607b4afba2a221488dea5087321a7366cfb23d14ae551bf4fa1506d6deaee98eba2a763bec1a493d63ba66dc90508c82ffa08e8cb99d8cbbfa3b215ff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB050.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB050.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB050.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF0.tmp

Filesize
50B

MD5
d4e73c2e024084f8a99a4d7f7b87c125

SHA1
cd36a406008d290ca754788594cf3d8eeba58169

SHA256
dbcd27d2bc601f3f5e3eb88dd23dece5d924d6840f6ec9f6004d0f79ad260f20

SHA512
7f7c87fc47e1f0dec6a83b366c8c71bc10e0664a786f80875e1878070be556adb766d4ab1069e47b592949a35141c0079b4b1f78787279115a3e94b91ada15ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF0.tmp

Filesize
58B

MD5
0b29799f668498e44f469590f92136a6

SHA1
477022e40d3b1f1f06f5e6c0404450af702db6eb

SHA256
9b9b769252e232ac369f61922b79f5656a4f4d744e39114bd389d0a56469ce3f

SHA512
d987b05f4085bc9d3640e496f002e068649a2859f0aa6c538de03ffac0f766dc0009a6f532809e579655ad5677a150834447670fb2774d1bdd33b70542ff3ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF0.tmp

Filesize
61B

MD5
74b3a93cf5d11d11b8dff1d5ec57a81d

SHA1
bc7da5a65649e99c488e6a4c130f1134e80dcf74

SHA256
706dc879eaaeee6ada053cfd98acedee299c07a8dc98f0cc024cc614057c38b6

SHA512
bef3b9fa70eec9ecb57ccc75bb54a5a76e1a0c4a8387823f7c931f091a1157bea4e678e19fcc775a7ee1c43d025d09e8ae4869b4c785dc7f8c4de39cf9bd7d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF0.tmp

Filesize
65B

MD5
1bd5509d17a385dbcebec5b71de8dffc

SHA1
9d70c3f205dddda5e33e5de97c0a09feb6836130

SHA256
2bad3065546719b1e5ff58cb7ca6231b6cb669fb1fd06fb30102e9df00d63e60

SHA512
ca43f9d62ad2c3b950b816274869a1c0bd22b77bbb80fc810783ef23b9317362132fb2f29510bb51f4d00940d8c9038b5700560b6f1e38722b2e65037c148bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF0.tmp

Filesize
18B

MD5
1a42166fa1e8a360271d4fb25c78fbda

SHA1
f4d1ad6ecdc1202a2c08c03514ec814072b818d2

SHA256
b271abd85535886a3753ee0a5e8957a1bf2e502c4a275d1d8f7f5ddf3b7de292

SHA512
ee3342a9a407bfe56e7c65c1f1c0b15624fbffc60c88ff9e404a1dbebcfd606f42de8cb61624f992f57fca2e05d75a64611a78e508c7772ffaeb9c5924c87c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAFF0.tmp

Filesize
42B

MD5
b6a6fc39000a885d47bb4a68599189d2

SHA1
2e6af0f8af28d0ccf111437ebdef42fc9b87d976

SHA256
d0e907cfed7dd830efd34ab698cfbc7726f29b52b71479f6ee9cc34087925d26

SHA512
79f428030deceb2504105b031f605836640f70e070c23dfc3d8f815c3b08b7377cb53455e8a8333dd7b2fca5507da24682b809eb586d8ce3a223e532a93d9263

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB08F.tmp

Filesize
11B

MD5
f9e81875c2ac80cd228ff7615d6e6183

SHA1
bc60a68ab8522806b30affd832b5866643ec2031

SHA256
54d26d86b2ebde0a52271df5d2bcc911d881ada35d5716076d0411672f78e7b1

SHA512
6173811b6e692e85ac091f9e53ad9e392dc9853087756dae6907ae45b73704c1084ad64bb9730871b6f7dd16d871dfcf089fcf19746cbee68b783a691937d1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB08F.tmp

Filesize
20B

MD5
981d979ec49cb64b078f50013c191acd

SHA1
18f103644da4913b96391b7d457ded5706e4d0f2

SHA256
f4e95849a9bf43f048e70b6beb4716762d41fd3efcb59bc58923386a6e3aeb5b

SHA512
d2901d088095cfb15227db5b49f510591e3480be1d4bd16991e794347657bcc4e1e940834961a09d9eaf48c3224886b850973a8eff9cd3ee74f7eec622bb6eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB08F.tmp

Filesize
27B

MD5
a4fef08db3bf7402436db287f01bb2fc

SHA1
66c9356fcc83fdda2e04821fa06ab8bee4f26720

SHA256
92bbc71aa04b34f3d6666861e615244db3d3be6f1287b3947115ea9d0e98a5d7

SHA512
3da695803076c9b338d9fac3d9da91ac8e0f8b4fb28665ad175325684a5688e83f56bff62766d99583ea9b2a0e394ad64f4fff3fc45b3fe154e6b4026ef7a44a

Download Submit
C:\Users\Public\Desktop\Varda.ini

Filesize
33B

MD5
340ad700cf73b73ea2313c044d40ea9a

SHA1
9b90cc3147d140fa936e308c2c320bdc385da93a

SHA256
55a2b8f5ef1d17023fd8245e69830cc961c0ce629eddc7ac1043c288cb3915b5

SHA512
4b31d10b80ae71197ac367c868569949224a4cd542bf0e9c188b816348ec8958f952525f939c827bddc8610f268dd12e310d6d2fc99071c741b3a38e062542b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB03F.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/2284-601-0x0000000077300000-0x00000000774A9000-memory.dmp

Filesize
1.7MB

Download
memory/2284-600-0x00000000014F0000-0x0000000002603000-memory.dmp

Filesize
17.1MB

Download
memory/2284-605-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2284-622-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2284-623-0x00000000014F0000-0x0000000002603000-memory.dmp

Filesize
17.1MB

Download
memory/2284-624-0x0000000000480000-0x00000000004C8000-memory.dmp

Filesize
288KB

Download
memory/2336-599-0x0000000077300000-0x00000000774A9000-memory.dmp

Filesize
1.7MB

Download
memory/2336-598-0x0000000077301000-0x0000000077402000-memory.dmp

Filesize
1.0MB

Download
memory/2336-597-0x0000000003D50000-0x0000000004E63000-memory.dmp

Filesize
17.1MB

Download