guloader | 29609f09ad62c2c32ca641e535076dfa6ce094412eca7e54ab5460096b44f9db

General

Target

presupuestourgente.exe
Size

620KB
MD5

0699d1cef89f6a68b1a751df81ca57d7
SHA1

babd83e5b5bba31dc53a97b93042fd82732d5f53
SHA256

29609f09ad62c2c32ca641e535076dfa6ce094412eca7e54ab5460096b44f9db
SHA512

5518124c13021a41e1bc6a97ed8f6054fe9356eb8dc229de01de299f2ebbd7abfd72a9461f6c91bf5f3214a6ecea70cc932f35f959d2e31d1d46d59aad3a78f4
SSDEEP

12288:ZhqqxfqTewx8s2s5Y8LP7+VJWZl85osgsJlFLtAKXQo:ZMCqeW8TyLjUWZl82+JlFZAKgo

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7809789609:AAFDhXsYPyaTrfKRHK3WeoYjI2bc1kwou_A/sendMessage?chat_id=7018410926

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Downloads MZ/PE file 1 IoCs

flow	pid	Process
59	2336	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe
3672	presupuestourgente.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	drive.google.com
32	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4784	presupuestourgente.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3672	presupuestourgente.exe
4784	presupuestourgente.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\oxyrhynchus\statiscope.ini	presupuestourgente.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4412	4784	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	presupuestourgente.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	presupuestourgente.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2964	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4784	presupuestourgente.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3672	presupuestourgente.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	presupuestourgente.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4784	3672	presupuestourgente.exe	94
PID 3672 wrote to memory of 4784	3672	presupuestourgente.exe	94
PID 3672 wrote to memory of 4784	3672	presupuestourgente.exe	94
PID 3672 wrote to memory of 4784	3672	presupuestourgente.exe	94

C:\Users\Admin\AppData\Local\Temp\presupuestourgente.exe
"C:\Users\Admin\AppData\Local\Temp\presupuestourgente.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\presupuestourgente.exe
  "C:\Users\Admin\AppData\Local\Temp\presupuestourgente.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2272
    3⤵
    - Program crash
    PID:4412

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDcwODk2QTgtQkM0MS00NDJGLUFEMDYtNzA2MzU1NjJDRTEyfSIgdXNlcmlkPSJ7MzE1OTg1RDMtN0Q2My00QjcxLTgwQTUtODU4OUFCRkQ0RUNGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MEUyNDYxOTItODlFNC00NEJBLTkxMjEtNDM0MkI5OTU1OTBDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQwNzI5NzQ5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
1⤵
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsmE476.tmp\LangDLL.dll

Filesize
5KB

MD5
7af1e33d85459fbd2cf7ef29d7528e9e

SHA1
8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

SHA256
958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

SHA512
1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE476.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
memory/3672-40-0x0000000076FE1000-0x0000000077101000-memory.dmp

Filesize
1.1MB

Download
memory/3672-42-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3672-41-0x0000000076FE1000-0x0000000077101000-memory.dmp

Filesize
1.1MB

Download
memory/4784-45-0x0000000077068000-0x0000000077069000-memory.dmp

Filesize
4KB

Download
memory/4784-43-0x00000000016D0000-0x0000000006F14000-memory.dmp

Filesize
88.3MB

Download
memory/4784-46-0x0000000077085000-0x0000000077086000-memory.dmp

Filesize
4KB

Download
memory/4784-59-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/4784-60-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/4784-61-0x00000000016D0000-0x0000000006F14000-memory.dmp

Filesize
88.3MB

Download
memory/4784-62-0x0000000000470000-0x00000000004BA000-memory.dmp

Filesize
296KB

Download
memory/4784-63-0x0000000039E40000-0x000000003A3E4000-memory.dmp

Filesize
5.6MB

Download
memory/4784-64-0x0000000037940000-0x00000000379DC000-memory.dmp

Filesize
624KB

Download
memory/4784-65-0x0000000076FE1000-0x0000000077101000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing