guloader | f14d5c43a154a97b88e9248ea68dfd8d6ba556e5c69a036ddfe29b0bcd0997f3

General

Target

f14d5c43a154a97b88e9248ea68dfd8d6ba556e5c69a036ddfe29b0bcd0997f3
Size

864KB
Sample

250411-chxrnaxwgx
MD5

0ada4805864eb152aac338b3b7e0c2c3
SHA1

2b138c9c8d170f8528e76c651fa4936808fda187
SHA256

f14d5c43a154a97b88e9248ea68dfd8d6ba556e5c69a036ddfe29b0bcd0997f3
SHA512

26363264b39ac8b8df80e23a1a0023da06a8e868a80744673296bccf34194970d139551c6b7269afd7ad67433d50cfa475bd906f3d6f24300448d3b5541fc3c1
SSDEEP

24576:sC7p2oXb4/vRdTlJbuN3lASdnkdPLAQqRB:rl2YSv23bnkJLC

Score

10^/10

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot1793602819:AAH8OgHZZu1s3rSbuE-TXgo0Nkv70Q5Eld4/sendMessage?chat_id=

Targets

- Target
  
  Renovation budget 2025.exe
- Size
  
  880KB
- MD5
  
  f7dcf7a8592da17d6286225bf1386c71
- SHA1
  
  080b11d185c977ac71efad60ff8f02276b0c38aa
- SHA256
  
  4351c0ecaa58ebfc05cd96168092558816fc29fc15630bfcf8f30e7f97537c1b
- SHA512
  
  c47140f138e8de0b247a5e9ee048133f4a9d118742adf8bcd1b27eec229338bf6d07bfe175ffb137a66c99c7f71e4192245483ee3d3e600bef6b4e969da7f689
- SSDEEP
  
  24576:ZNvHEF2EXr4/vdBTlJVuN7FCSbtedxFYAqRmb:Hy2OSvk7vteLFRb
Score

10^/10

guloader stealerium collection credential_access discovery downloader persistence privilege_escalation spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Stealerium family
  stealerium
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  cff85c549d536f651d4fb8387f1976f2
- SHA1
  
  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
- SHA256
  
  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
- SHA512
  
  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
- SSDEEP
  
  192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Score

3^/10

discovery
behavioral2