guloader | c9e13cac0c279e2e8dbf89b9b105522c36ef2959d0edf4b01f2412a4dc382504

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-es
resource tags

arch:x64arch:x86image:win10v2004-20250314-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
14/04/2025, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Honorarios.exe
Size

676KB
MD5

06f11fae2c47c5ab2284fefcc1b2d857
SHA1

5ac3754e85334b7efbb7cfd85f355f4accc5d0a8
SHA256

c9e13cac0c279e2e8dbf89b9b105522c36ef2959d0edf4b01f2412a4dc382504
SHA512

e50b6a6bccc6bd8bf137da95c4f6306aee08b59e163c08d9e07c6fb238eb5b613f2244a1c57a35b35b54106bf531867c5b258fcb00f6e087121d2546e1204288
SSDEEP

12288:p+q1gzPJzfmf5yNA3PnuNDhxeI82jkxKhVERZmCeuCHxdt1AS:p+q1gt651n0h0ekx+8ZmCeF1AS

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2908	Factura Honorarios.exe
2908	Factura Honorarios.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	drive.google.com
41	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	checkip.dyndns.org
69	reallyfreegeoip.org
70	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4832	Factura Honorarios.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2908	Factura Honorarios.exe
4832	Factura Honorarios.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura Honorarios.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura Honorarios.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4832	Factura Honorarios.exe
4832	Factura Honorarios.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2908	Factura Honorarios.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	Factura Honorarios.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4832	2908	Factura Honorarios.exe	95
PID 2908 wrote to memory of 4832	2908	Factura Honorarios.exe	95
PID 2908 wrote to memory of 4832	2908	Factura Honorarios.exe	95
PID 2908 wrote to memory of 4832	2908	Factura Honorarios.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios.exe

C:\Users\Admin\AppData\Local\Temp\Factura Honorarios.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Honorarios.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\Factura Honorarios.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura Honorarios.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4832

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbA3D3.tmp\System.dll

Filesize
12KB

MD5
9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1
97332a2ffcf12a3e3f27e7c05213b5d7faa13735

SHA256
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

SHA512
26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA444.tmp

Filesize
56B

MD5
b5307e7b627d62de6542856d0b47d5f0

SHA1
e1866633cf751f1d8dbeea101139112449b29396

SHA256
37ef9ba2ea9bdd6ecbb2e6a9694c163689524fb9699f17b0aa2ee104da7175d2

SHA512
553cc7d73f14cadead414a0815990f5ef2532f754a713115a2fdcab2ea60c39c68e98752d0983af9801d70269391e023b183420332e2b2a51df193096057b924

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52F.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA414.tmp

Filesize
59B

MD5
fc9c9f1df9946e7e8bd31eff6059500d

SHA1
a0caede056fe0f2920936316b63810092b7064db

SHA256
eb32cbacd91acbaa6040a42592eed0fd29d6b9f5f69135dae04fc41527088bd1

SHA512
ff6f7f11b4916531f9e0dd32e4e673e7463a5e3b16a925dfd4bca8a44a38c1ae186b9c24a7ceaa280bb0653767d67edaa65531c57259d418d6b8fd5d3abe1ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA414.tmp

Filesize
60B

MD5
54394df9cf092bc59e7f6bde06733e84

SHA1
adb609ae65a1756b73b9f1248483cdff1bbbc96b

SHA256
adfabcec16df1b0e5449840926dba82ce2671e280b8f1800b149547a13792fca

SHA512
bef0918ff66590fce12c20df9af641ee1e5d147f2c013ae746d0a002b4eb0bc8390947dbb3e052887690fd001e5d4494a849400a66b12832cca1eb9944b92741

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA394.tmp

Filesize
72B

MD5
830f634fb44956d70a234c43be9c0b75

SHA1
1ebe612620e801a4db9256781c95048f7573edc7

SHA256
2a404ae066022b1d313fc3fa263e53ba387aa301e650cbca6379847bb1417381

SHA512
8aa1eeab0f139af87885916505c5dd56ba66771d2083da8d505878b09eaaff8b8c35d765a0770d4b7deca4414f9ae88070f91e9ba119c4dc9b44875bdd344132

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA394.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E4.tmp

Filesize
30B

MD5
f7bcbbddb5cb20fdfce72f842cacabe1

SHA1
031c00c0eb114ed2234679c39cb34fdbb9debfb3

SHA256
35dad955ee2ccfe66eb80d670721acf7f83915f1204f07d449aace9c9ca1f2e3

SHA512
2bdb271d96cece4289dec71c02b30a64e509e1e93f25168fd78c72b8197937cc398df0ece30dabc2253129621b8108ed38fa9b2ced12e70ff3f9c5f8ae7b0b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E4.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
memory/2908-566-0x0000000077031000-0x0000000077151000-memory.dmp

Filesize
1.1MB

Download
memory/2908-568-0x0000000073E95000-0x0000000073E96000-memory.dmp

Filesize
4KB

Download
memory/2908-567-0x0000000077031000-0x0000000077151000-memory.dmp

Filesize
1.1MB

Download
memory/4832-583-0x0000000077031000-0x0000000077151000-memory.dmp

Filesize
1.1MB

Download
memory/4832-589-0x0000000071F20000-0x00000000726D0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-571-0x00000000770D5000-0x00000000770D6000-memory.dmp

Filesize
4KB

Download
memory/4832-581-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4832-569-0x00000000016C0000-0x0000000007172000-memory.dmp

Filesize
90.7MB

Download
memory/4832-582-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4832-585-0x0000000071F2E000-0x0000000071F2F000-memory.dmp

Filesize
4KB

Download
memory/4832-586-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/4832-587-0x0000000039EA0000-0x000000003A444000-memory.dmp

Filesize
5.6MB

Download
memory/4832-584-0x00000000016C0000-0x0000000007172000-memory.dmp

Filesize
90.7MB

Download
memory/4832-588-0x0000000039CA0000-0x0000000039D3C000-memory.dmp

Filesize
624KB

Download
memory/4832-570-0x00000000770B8000-0x00000000770B9000-memory.dmp

Filesize
4KB

Download
memory/4832-591-0x0000000071F2E000-0x0000000071F2F000-memory.dmp

Filesize
4KB

Download
memory/4832-592-0x0000000071F20000-0x00000000726D0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-595-0x0000000037730000-0x0000000037770000-memory.dmp

Filesize
256KB

Download
memory/4832-596-0x000000003AA40000-0x000000003AB42000-memory.dmp

Filesize
1.0MB

Download
memory/4832-599-0x000000003AB50000-0x000000003AD12000-memory.dmp

Filesize
1.8MB

Download
memory/4832-600-0x00000000075F0000-0x0000000007640000-memory.dmp

Filesize
320KB

Download
memory/4832-601-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4832-602-0x000000003AD20000-0x000000003B24C000-memory.dmp

Filesize
5.2MB

Download
memory/4832-603-0x000000003A930000-0x000000003A9C2000-memory.dmp

Filesize
584KB

Download
memory/4832-604-0x0000000039D80000-0x0000000039D8A000-memory.dmp

Filesize
40KB

Download