guloader | fa95a74bd124a32e198c07511e563c2c5a3f9ec71a4a40ffb4de15b3b2b5ddf7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

justificante.exe
Size

745KB
MD5

f73f9b729a0171e1d1aabd214c1fc2bd
SHA1

ca95dc8efa2f5575ad590e08ddad9af4dda6b7d3
SHA256

fa95a74bd124a32e198c07511e563c2c5a3f9ec71a4a40ffb4de15b3b2b5ddf7
SHA512

9e2fa622880947025a69bd8df9407ab0d015a0181a37d3bdbbfa427ceb55faea2af02c6fe101f37e8d292524a1854601951fbb2604ed787c2d75e3b3b56940f0
SSDEEP

12288:0CT6YT8Rf2RR51iL7yLFO06tLUJstWI6ulekbiDBfR5j5TzIBCZYu+fQCZ0CZr21:0C6Y3RRriahD6tIJcW/ubiDLTmAYu+o/

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7985048972:AAETw71DlbcHqzvtl1F1nkzl_0aMbnCis_c/sendMessage?chat_id=7794818739

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	5052	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
3764	justificante.exe
3764	justificante.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	drive.google.com
45	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	checkip.dyndns.org
60	reallyfreegeoip.org
61	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5096	justificante.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3764	justificante.exe
5096	justificante.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\komplementrt\halstrkldernes.dds	justificante.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justificante.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justificante.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5112	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5096	justificante.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3764	justificante.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	justificante.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 5096	3764	justificante.exe	100
PID 3764 wrote to memory of 5096	3764	justificante.exe	100
PID 3764 wrote to memory of 5096	3764	justificante.exe	100
PID 3764 wrote to memory of 5096	3764	justificante.exe	100

C:\Users\Admin\AppData\Local\Temp\justificante.exe
"C:\Users\Admin\AppData\Local\Temp\justificante.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\justificante.exe
  "C:\Users\Admin\AppData\Local\Temp\justificante.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkIwOUU5RTEtQjZFRi00QTE0LUJDREQtQzhDRUU2NzgwQ0NFfSIgdXNlcmlkPSJ7MTg4RjlEM0EtNkY4OS00RTlDLThBRTItRDhDNTFCRTc0OEY0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzU1QUExQUQtMEFDQi00QkNGLTg3OTItRjA5ODdBQTE4NDQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAyNjgzMzgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb2B8F.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2B8F.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2B8F.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2B8F.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2B8F.tmp

Filesize
39B

MD5
505f20cd45bc836373386cea45c8b35a

SHA1
affac354f022af0b30bd22577b6a17aef655c9c3

SHA256
1af69999dc9321b779722fe8143e4d882527302782fb2f1f8ed2c817e66374aa

SHA512
38c5d410f9ef5fa60f1f2b9925723145a8ec77020d7a4b648373bab3137cf55c4dd21ff08a33add95090ece4a36cd4b3fb1fcc68ff93026676960b77a93ce721

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2D65.tmp

Filesize
13B

MD5
f6dd1b23c7a68545a2c2dbf678cf8683

SHA1
43eeed66236b1b5868671abdc138051daa64fd16

SHA256
38e0646749072dd0bfa54e9cc2884b454d7ea22b08d816599d86f7f162e1c7e8

SHA512
a23ad3fc2ca9259a0641bc445eb71848c5e824694f844dea4d35d985aa65fa6a882af3d4f873042df9da564e0ec4afd0ad2bc6911c00a70f9e82171d53fb76d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk29A8.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2C6A.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2C6A.tmp

Filesize
30B

MD5
c15356485482af1da0075c68d6a7f89b

SHA1
4b70aba25450abbd74e02783504a2ce6f4e927e3

SHA256
694e2b9c9700cad05917d5a38de4510b0aed582257f50990179ed3a4553ebfb8

SHA512
b1774a03e4949b416df320b62adcb3c691e98cd94562770a0ea98b965da3fac2fcdb29c881ee2e71e30beffafc6c055246b5be025aa5a71e3723e329f575da1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2C6A.tmp

Filesize
45B

MD5
bc4de0b52de78a73a826c0781ceb2d11

SHA1
a7e8133d80f959e5075f9fa423775c4b77921f00

SHA256
49f618d3355d1bd8197a6bfb5eb1233560a79950d166a7313aba3d4d3f2cc2b9

SHA512
7ca6baf433d1b44a6ee7ba9efeda1e20d6b22d96e300978b83330ccb05e1ec5eb07f6e36200b22d66453ad0eef938932ea77c756ddc5e57674b916e0ac79928c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2AD2.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2AD2.tmp

Filesize
19B

MD5
43157868a196cf407824a5411f44f7e2

SHA1
7752306ef99ff3506a6ff41cb71d0c347b932565

SHA256
12a5b941c522748da012db793d839e52457ef62d7964de9001a30469f69e05d1

SHA512
322383a4d970f07ba4e00417d42054ea58347b5d4d068b85669d9512380c772f80788358d579a0419df634855711877478bc67bd1e7d2f8f6d30c63f63368852

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2AD2.tmp

Filesize
24B

MD5
60f65c2cd21dde8cc4ce815633d832e0

SHA1
c1196320458557d8c4f65ba6810953b1037a822b

SHA256
7f0f042b1879b1b8f04a5e6051e577a1e691ec322789c4d98d52494cfd906ce7

SHA512
301ead9a6620deccb0be51bbe4eb760ca9d48d029cded0c6cdc7115a4353f4d9330f2ca92df2519a78a7d5aa24975ca6fa19c0269cc411026739b3f733f8d8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2AD2.tmp

Filesize
50B

MD5
66232700b45a0cd2fca0b0ab4c15cf1d

SHA1
5b63ae813636c07f4de62f88425d23c3c75e024b

SHA256
6a3fde98ef05ef8b76bb66538de3e3e14b6d9928176532293645b0cb27325c9d

SHA512
f97a2e4779c99d335f4118b94dfb004c65efe5342c6fc75632bfa6f96ac14c5c35cd1adc11a7e5472dc22553e6151e109e2cca5694139eea6fa32e620c0c5054

Download Submit
memory/3764-588-0x0000000077901000-0x0000000077A21000-memory.dmp

Filesize
1.1MB

Download
memory/3764-587-0x0000000005290000-0x00000000081AD000-memory.dmp

Filesize
47.1MB

Download
memory/3764-586-0x0000000005290000-0x00000000081AD000-memory.dmp

Filesize
47.1MB

Download
memory/3764-589-0x0000000077901000-0x0000000077A21000-memory.dmp

Filesize
1.1MB

Download
memory/3764-590-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3764-592-0x0000000005290000-0x00000000081AD000-memory.dmp

Filesize
47.1MB

Download
memory/5096-605-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/5096-608-0x00000000007D0000-0x0000000000812000-memory.dmp

Filesize
264KB

Download
memory/5096-609-0x0000000037860000-0x0000000037E04000-memory.dmp

Filesize
5.6MB

Download
memory/5096-607-0x0000000001A30000-0x000000000494D000-memory.dmp

Filesize
47.1MB

Download
memory/5096-610-0x0000000037E10000-0x0000000037EAC000-memory.dmp

Filesize
624KB

Download