guloader | 188f9b719f24aaf73655af22e8ed2228a22b9045fd6e3ab96c39dea2edb03933

Analysis

max time kernel
106s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kelivn.exe
Size

677KB
MD5

4875ae9940b3b14f9c6c9444f20d9dbe
SHA1

185cfd7bb21f13457c12a848f6c7a8372e7ef2ec
SHA256

18036ef7ea07672835b6f92dba5e92a833be93cc1fd788e050a64b2a931c97cf
SHA512

0c864435332a281a9669f65474a02fa61c8650d47338571016b75a3df8a7cd69adb5a1945e7be8fb33446a600f2c6e82a05e527aa11b9bd76968eb6621d28f28
SSDEEP

12288:z+qCR9W/vWvSca5Sxm7T4qvqMvbcvYDfgabdi3Ki8ejxXiT76pCafmCeuByUt1A:z+qCRva5Sg7HTSYDI93KihO7WCafmCex

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7834598939:AAFj8m-2kxM1EMsJuJcRikBu2XJcBLqyVTc/sendMessage?chat_id=7534008929

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
1276	kelivn.exe
1276	kelivn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	drive.google.com
14	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4468	kelivn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1276	kelivn.exe
4468	kelivn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	4468	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kelivn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kelivn.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4468	kelivn.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1276	kelivn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	kelivn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4468	1276	kelivn.exe	90
PID 1276 wrote to memory of 4468	1276	kelivn.exe	90
PID 1276 wrote to memory of 4468	1276	kelivn.exe	90
PID 1276 wrote to memory of 4468	1276	kelivn.exe	90

C:\Users\Admin\AppData\Local\Temp\kelivn.exe
"C:\Users\Admin\AppData\Local\Temp\kelivn.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\kelivn.exe
  "C:\Users\Admin\AppData\Local\Temp\kelivn.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2268
    3⤵
    - Program crash
    PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4468 -ip 4468
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa4750.tmp

Filesize
15B

MD5
232ea7835f5abeffc769949d0bad82bf

SHA1
d8183e34d3c48afb0f7598a4dc11182218d7e9fe

SHA256
384e1fc0d130aa5cbfa9077f6de89b555e096afb67cd2dd827933b992549e69c

SHA512
e552cc1f310029859899ab726b70ef38c08026af5e0c125c58e9b31005d8c2fd2d636d8bb3aaf8a039aa3450f058c038186da34b63e883e3613049a6df6905e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4750.tmp

Filesize
19B

MD5
9b81480d3420dfa314a7ca8c685e3c0f

SHA1
1bd4068ee9af7a94d6c59c563f191783b158c65b

SHA256
ef5767399ab18e9604a1ce029f5ef4228a2421f599ab580bfff4e2e4fb6b409d

SHA512
2b5ecd729d0a9b22e1744a17051745d929c686b14e3815787769d2d9577ccdf12686201a48c64103fa11d8525e70074300ea95d5e23b09bbd5df9e6752bb4731

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4750.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4603.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4603.tmp

Filesize
18B

MD5
1a42166fa1e8a360271d4fb25c78fbda

SHA1
f4d1ad6ecdc1202a2c08c03514ec814072b818d2

SHA256
b271abd85535886a3753ee0a5e8957a1bf2e502c4a275d1d8f7f5ddf3b7de292

SHA512
ee3342a9a407bfe56e7c65c1f1c0b15624fbffc60c88ff9e404a1dbebcfd606f42de8cb61624f992f57fca2e05d75a64611a78e508c7772ffaeb9c5924c87c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4603.tmp

Filesize
42B

MD5
b6a6fc39000a885d47bb4a68599189d2

SHA1
2e6af0f8af28d0ccf111437ebdef42fc9b87d976

SHA256
d0e907cfed7dd830efd34ab698cfbc7726f29b52b71479f6ee9cc34087925d26

SHA512
79f428030deceb2504105b031f605836640f70e070c23dfc3d8f815c3b08b7377cb53455e8a8333dd7b2fca5507da24682b809eb586d8ce3a223e532a93d9263

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4652.tmp\System.dll

Filesize
12KB

MD5
9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1
97332a2ffcf12a3e3f27e7c05213b5d7faa13735

SHA256
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

SHA512
26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46A2.tmp

Filesize
27B

MD5
a4fef08db3bf7402436db287f01bb2fc

SHA1
66c9356fcc83fdda2e04821fa06ab8bee4f26720

SHA256
92bbc71aa04b34f3d6666861e615244db3d3be6f1287b3947115ea9d0e98a5d7

SHA512
3da695803076c9b338d9fac3d9da91ac8e0f8b4fb28665ad175325684a5688e83f56bff62766d99583ea9b2a0e394ad64f4fff3fc45b3fe154e6b4026ef7a44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46A2.tmp

Filesize
29B

MD5
5b2357aa9ee8d93ebc8fea2a7da01fda

SHA1
3a5bb5ceeeb26ee649ce9c8fa1c47e45d8c8f00a

SHA256
f2b723416cc41c59b870a8fbbe8ecab3cd0cf2298902649a50668b1b88e6e835

SHA512
03d9cbca3d09de197530779f90b8864da4a34aa50a7dc87fdd964ac53a5a6a73f543fe5727fc2df29b9cf5b3646b1ffc60b90883148c1989fdbcee5658582fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46A2.tmp

Filesize
34B

MD5
08cf70a31c1fc73e3665d26682a2e12c

SHA1
e3396cbc8e44de7807c46f315984112e87f3e515

SHA256
ca04cfa3e6910c5969348909db382ee91f43ca601b652c8baf005b76aa0a25b2

SHA512
4b712d5baf833b3911740844b8165151a739cc0d38153585fea2b9064d633e2d1fbff97e94d4694b7492d5186d85e85a5868a868800901f8bdc7077ae96355c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46A2.tmp

Filesize
50B

MD5
ed015ab3fa513b24b49e03c6a71d50a3

SHA1
1eeda1bfec40b5ec056c5f2bf140ddb1c0178dc3

SHA256
119dfb213407957add88d279b6dac7cc47f96a4b590336b21e9d9b2333594785

SHA512
460abf9d9703dddda3ac444d03dcea41e55367658eff5abf61f7feeccbbfb69f1523c156a8b06a377c3f5faa536851712a29c0c2c682520f34dce925a2028ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46A2.tmp

Filesize
55B

MD5
f3feddb908daf8ebc59419a415befee0

SHA1
baa588b8b74ab8385023a47c0b66f0ccd3596cd2

SHA256
652ae49d541bf42266ba8b3c8a5ac350db02051f912ee4eeff92ddb7500ff73d

SHA512
b0af5af013b2367df27b552b64ce08e914182fa2b6c4b130b41d9e69acb740a977b8ca7a983f93e1d595977a70b02fb6fcc6ce64cf677e1be29f6da3a302cd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46A2.tmp

Filesize
60B

MD5
fc1964b9e401c68f4b8f682bd598f63f

SHA1
ded17cdddefec700382354f30cbd28deb2b9fc64

SHA256
37392867f6fe947f037ebe6056448646d084dd40b4380942c69333d3d5106681

SHA512
14d52983d5fa97fdb40e00bb6b0e33fa1140d6b199d7cc413a48523e6471c52582d4c3fafc6dcca2532c7ac7c20a90e83d65d0779630d15afaa310879fc68044

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46F1.tmp

Filesize
21B

MD5
536389bbf053b80ce24ccb866d88062d

SHA1
6b73170d96a856ed910dad0c6da873ef30f90396

SHA256
43cb47f4df5b0c44fda22501a37e5ea542847cb48c2e184e10d47dd20900c2e4

SHA512
6d86692b95765720e371e1c026eeaa8adcb4a166c733a172d6a578b67e9cf604c12a907ea927e494463c6102a40262a1f0b4059c62b330110d64f4c5b8208a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46F1.tmp

Filesize
41B

MD5
629a1294f191dfa2e255764110158818

SHA1
f60bccbc5a734c77c39e30b24502e84be9a87c4a

SHA256
7bf47a274f6a6d0c2a258cfd44b3c68df73627e599fd22d91db60da7cf70c3ba

SHA512
049b5e7c841aaa840ca1f67abd02297e3946914de342a877151797827f12e134fc9e6b6f5771b79fc4a36944c08414ce888917c12fd229fc7d0815116ff6a7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk46F1.tmp

Filesize
56B

MD5
f7b83d33d71d64eaca77185d783be05b

SHA1
25b99d4f9de1822db65a81d49edb7dda6a550515

SHA256
642125fb8dc0639670be0a78cec270e4eec186b61a858aa5c6323610b0d8e0be

SHA512
6ebb43d9a669e9dd36d98a8cb43771ab8e1b117bcd077e1fe3c73299f43a09ef2d3e63efd66b11a9042d605ff21f882ea70902da0472b85f3d2acd2690eed073

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4672.tmp

Filesize
33B

MD5
d0c16d35895f4a76cb4fa85fc11c6842

SHA1
61d36c5b3fd3f0772608359b7ed9890b0474aee0

SHA256
d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59

SHA512
3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4672.tmp

Filesize
35B

MD5
baf2a3b161f59f08e4ac15360a33f91e

SHA1
7720d461221d6947de0c8295c9a350de7793e0e2

SHA256
8c876ae7916572fa02c0c9841d47358f549363bda4f2879944e44c250f29e431

SHA512
b9ff3c4e06b93e7896a44bbcc4f228e6bed9afc14d4996bb5953851157773882d576826df5d1b9b2000356d69c3a43a61186f88027c4c9914e7aca8a93aa357f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4672.tmp

Filesize
42B

MD5
a736abcb9380cc3122c530302f713c8b

SHA1
04b4d0d386bd0ade20409730e8160c5c713fb36b

SHA256
5e8f7f2bad61bc10fa2f647e1367a29053166799244128a74508cc3c3a760c08

SHA512
234d99b774a992d86762c9d298dc62d612219234db760a259d6e21ed9d1f10dd810aefb4d9c82af254ceb7d64ff2811772dfc4350ccdfd4375f01a7b801cc333

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4672.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
memory/1276-571-0x00000000053C0000-0x0000000008353000-memory.dmp

Filesize
47.6MB

Download
memory/1276-567-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/1276-569-0x00000000740A5000-0x00000000740A6000-memory.dmp

Filesize
4KB

Download
memory/1276-568-0x00000000053C0000-0x0000000008353000-memory.dmp

Filesize
47.6MB

Download
memory/1276-566-0x00000000053C0000-0x0000000008353000-memory.dmp

Filesize
47.6MB

Download
memory/4468-577-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4468-578-0x00000000016C0000-0x0000000004653000-memory.dmp

Filesize
47.6MB

Download
memory/4468-579-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4468-580-0x00000000016C0000-0x0000000004653000-memory.dmp

Filesize
47.6MB

Download
memory/4468-581-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/4468-582-0x0000000037400000-0x00000000379A4000-memory.dmp

Filesize
5.6MB

Download
memory/4468-583-0x0000000037280000-0x000000003731C000-memory.dmp

Filesize
624KB

Download