guloader | aaa5c9077b9ca6f95da70f1c4df45f84c2fa48f62ad9548a7328add232978ebb

General

Target

FacturaHonorarios_2025-04-9.iso
Size

1.1MB
Sample

250409-h1zlvsszdt
MD5

b733ae5e018e2b524546f01a4fce2e3e
SHA1

a9ab761faa70fba6671bf51dcd40782aac6e7693
SHA256

aaa5c9077b9ca6f95da70f1c4df45f84c2fa48f62ad9548a7328add232978ebb
SHA512

354ec1a12d0ec1d64325b2e05eb342f309251bd2cf6c19931f8eb2ba92fce3dfa141d1a364d023b18b1e6362ca3f70be2205d439bb11567d47ddfec96e39ec44
SSDEEP

12288:9227fJXAg9x8ghMOEvFJ9eJ1rmRZ4L5vluMyiAL0L2c8QuU:9T7lpx8uMX/4J1rMZ4tFrA7cZ

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
aacrianca.pt
Port:
587
Username:
[email protected]
Password:
ec98ret4

Extracted

Family

stealerium

C2

https://api.telegram.org/bot8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU/sendMessage?chat_id=

Attributes

email
[email protected]

Targets

- Target
  
  Factura Honorarios_ 2025-04-9.exe
- Size
  
  545KB
- MD5
  
  0d6525a23326e202d8e6bf3796a2bc58
- SHA1
  
  4e4848828aa50fd6075f52fb47ff9a39e537da1f
- SHA256
  
  9c610dc246159235ce291264cf8f46ec080b74cdd27d0d5d23241c89792df5ad
- SHA512
  
  5c3b1fbe21ebeaeef6958336e7d42ac59b80823885f1fe9fbeb9917cb418b3a1287ebf6e78c82a3cfe7ad674799513a64286181feee1a5a19533448bf6b00583
- SSDEEP
  
  12288:T227fJXAg9x8ghMOEvFJ9eJ1rmRZ4L5vluMyiAL0L2c8QuUw:TT7lpx8uMX/4J1rMZ4tFrA7cZe
Score

10^/10

guloader stealerium collection credential_access discovery downloader persistence privilege_escalation spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Stealerium family
  stealerium
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10

discovery
behavioral2