guloader | dde1528c732c07d5f7153dc871342bd4657836a7ccfe185e15af90c87dbf95a7

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-02-2025 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.23885.29286.exe
Size

1019KB
MD5

48b03eaf0daf01e7e607c9ef2d4605e6
SHA1

197c883e8f662c4f432f9b433cab6fbae45cb7cc
SHA256

dde1528c732c07d5f7153dc871342bd4657836a7ccfe185e15af90c87dbf95a7
SHA512

db4900abfad46fae0518ac34d38a16eb74033d4262a0f46da05106ab46811a9a9b23078cc32278b3dad4d521dc68d6e29b0ad8a577968f47b6fc1393c39caf0f
SSDEEP

24576:NtLj+hI8nM8/LitBKEvjqVdYpD0rDpCKOIRNFlBsaKo:NtLihpnV/LSqVdI0rNbNF7sxo

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.muriana.com
Port:
587
Username:
[email protected]
Password:
Provisional123***
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe
2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org
16	reallyfreegeoip.org
17	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2624	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe
2624	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.23885.29286.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2624	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	SecuriteInfo.com.FileRepMalware.23885.29286.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2624	2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe	32
PID 2044 wrote to memory of 2624	2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe	32
PID 2044 wrote to memory of 2624	2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe	32
PID 2044 wrote to memory of 2624	2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe	32
PID 2044 wrote to memory of 2624	2044	SecuriteInfo.com.FileRepMalware.23885.29286.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.23885.29286.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.23885.29286.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.23885.29286.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.23885.29286.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjCD23.tmp

Filesize
14B

MD5
4916cd6b7dda05c7a23b1d31d796ed7b

SHA1
a999776c87fb3bc6fc6390469c79ec302ee2410f

SHA256
fbd1ae27c78de7d1be52844bfb664657c23dc7a39dc32126f422e26ef472b954

SHA512
db2e17ed849245ab83db878e80b743fd1967f8609793be2736e300d683f9484e61c83fdab089fdf39aca4d196513d7afe65ec7d37964a162852a3f372e39d051

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCD23.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCDC1.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCDC1.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCDC1.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCDC1.tmp

Filesize
16B

MD5
1a069d3d8cca839a3c2f44a0e833d67c

SHA1
2bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf

SHA256
0c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309

SHA512
970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCDC1.tmp

Filesize
25B

MD5
0064e905a25d25e9da3e091fec6128b4

SHA1
0916142d8dbc95b1603767e67e28d3abcca8f89f

SHA256
dbb07eb4882c53ce57bb0aa8a0707ee7e4be2a12fee11e1d17e843ec4edeba9f

SHA512
b94e4dfea2f088a2838174b1650ca9d3fe4e4cb75bb67e3770fbcfb277e09daaa05bbc2686744852e56db010a81a1f48da0da3b5be05470a297a58142c8bbc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCDC1.tmp

Filesize
56B

MD5
d4de0eab933eaea20fcc7a0fbc8f259a

SHA1
776f886cf63358662064f49513924aa1f8d32596

SHA256
58a06909bc19369daa6be9cfb1ceeb7d39547f7dde6d51fa53295c9cb59d13e0

SHA512
f33f19ae60203255638b5699737737ca342d48b62da9b462b086e284773bf9cb4ba475b8a625edc0d519761f15866a424caccedd6632e2fbc08a1855b8d1a7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCCA4.tmp

Filesize
73B

MD5
b80ef50d0f02b0e60035ddab237b744e

SHA1
addac470421ca09efee0c0718d805e1312246086

SHA256
d26183d8122f1a8b4a98c5716a0520bdf9b28b95fa3baac4af25c49d39bd1da9

SHA512
ccf91989bb62dfd85144b5b85528921f2a134515797fbe6be348852bca34e6e7bc27a7d6a17e7ba28b62a8c644581a092a892957c84853cbb29eea8cb6792820

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCCA4.tmp

Filesize
20B

MD5
9111ba1d1ceb4b7f775d74730aac363e

SHA1
c0af4968c775735be12419b60b257ed4359cb9b2

SHA256
0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91

SHA512
836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCCA4.tmp

Filesize
37B

MD5
c641bfa28a71f86301ed9e81931da24c

SHA1
59770ef0e9c2658e6aacd708615767660a2dec66

SHA256
df9ef051e1940f576446c4ef6d4ee0f201488c4c0485c26ef2bd3923b3e6a761

SHA512
e2e24f388600ca77ea717c8ebf382ff961cf20ae054d807526dddf28e5a328cbacfb57a6d00ad43afca0a4bc00ebb3f42a169de1fa5787265f468fe9056d093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCE2F.tmp

Filesize
9B

MD5
bc86ffa91686a2ee2ac3cc3d50c4389e

SHA1
6d81aa156225f8df56a7711519ac3ff87abec24f

SHA256
9e56c757510a69c7ee47407dbda53e8d8b983755854362df4dbcad941696dceb

SHA512
5c54242e478199a95f615af1ac74fda63f4a1a1e22ef5799dc552ed432320adb20df54f9083cee1ee7c2d8ef2792f0f12e579229b7c64ffb74952e3044f4b7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCD62.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCD62.tmp

Filesize
19B

MD5
adfb82dfa0a66bd7e108a83873cbd4cf

SHA1
caaf90327bb1e7b6731e154351f351bf3a3bb1c4

SHA256
2ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228

SHA512
103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b

Download Submit
C:\Users\Public\Desktop\Varda.ini

Filesize
33B

MD5
340ad700cf73b73ea2313c044d40ea9a

SHA1
9b90cc3147d140fa936e308c2c320bdc385da93a

SHA256
55a2b8f5ef1d17023fd8245e69830cc961c0ce629eddc7ac1043c288cb3915b5

SHA512
4b31d10b80ae71197ac367c868569949224a4cd542bf0e9c188b816348ec8958f952525f939c827bddc8610f268dd12e310d6d2fc99071c741b3a38e062542b4

Download Submit
\Users\Admin\AppData\Local\Temp\nstCD12.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/2044-600-0x0000000077820000-0x00000000779C9000-memory.dmp

Filesize
1.7MB

Download
memory/2044-598-0x0000000003990000-0x00000000062A6000-memory.dmp

Filesize
41.1MB

Download
memory/2044-599-0x0000000077821000-0x0000000077922000-memory.dmp

Filesize
1.0MB

Download
memory/2044-597-0x0000000003990000-0x00000000062A6000-memory.dmp

Filesize
41.1MB

Download
memory/2624-602-0x0000000077820000-0x00000000779C9000-memory.dmp

Filesize
1.7MB

Download
memory/2624-601-0x00000000014F0000-0x0000000003E06000-memory.dmp

Filesize
41.1MB

Download
memory/2624-619-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2624-623-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2624-624-0x00000000014F0000-0x0000000003E06000-memory.dmp

Filesize
41.1MB

Download
memory/2624-625-0x0000000000480000-0x00000000004C8000-memory.dmp

Filesize
288KB

Download