guloader | 1b3b9f0c7a82fa5f4e656376d971581211ba332c7857ee114365fecca818b863

Analysis

max time kernel
112s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recibos.exe
Size

681KB
MD5

3203fe67417ccd0ba749ceb720f680e9
SHA1

343a8c2ac8ae34afc1b343490d256943021f08d1
SHA256

1b3b9f0c7a82fa5f4e656376d971581211ba332c7857ee114365fecca818b863
SHA512

c2c3c9e2415bd0abd3db236c72613635a4054cf014fef54d72e48de7bcc169041b6b8d551cf06c07c9dd985c59e2de1eaec436befa443768940bcdfc52fb0521
SSDEEP

12288:q+qkDlXDwOiNuB2WPFwl5Lmpb3vliE4mCeuiBnKINft1AN:q+qkBwhNoVqHmtfCmCeHPNF1AN

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019
Email To:
[email protected]

https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
5680	Recibos.exe
5680	Recibos.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Recibos.exe
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Recibos.exe
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Recibos.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
28	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	checkip.dyndns.org
41	reallyfreegeoip.org
42	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4236	Recibos.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5680	Recibos.exe
4236	Recibos.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recibos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recibos.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4236	Recibos.exe
4236	Recibos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5680	Recibos.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	Recibos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5680 wrote to memory of 4236	5680	Recibos.exe	92
PID 5680 wrote to memory of 4236	5680	Recibos.exe	92
PID 5680 wrote to memory of 4236	5680	Recibos.exe	92
PID 5680 wrote to memory of 4236	5680	Recibos.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Recibos.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Recibos.exe

C:\Users\Admin\AppData\Local\Temp\Recibos.exe
"C:\Users\Admin\AppData\Local\Temp\Recibos.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5680
- C:\Users\Admin\AppData\Local\Temp\Recibos.exe
  "C:\Users\Admin\AppData\Local\Temp\Recibos.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4236

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb6FD7.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6E6E.tmp

Filesize
56B

MD5
9fd6cde03f44744e40ad1052fe923bce

SHA1
ade1a22e886b9fe5b22a340f17b58c08fb5a16da

SHA256
23dd38f956f3c3c7b7c53352e1fd05fa7c74d4bacaa7f2f943b38b60bb199d9e

SHA512
5aada101fc6749ab0bedb8a17997a83b7ad6f111ab8560c230b3479b6ad6ce6822691a3eab832b1a60403726e5ff7f28587a20a7ead27a75790e7ea0d87e49f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6DED.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6DED.tmp

Filesize
68B

MD5
acc8e2dc8ef177e828af296be96c6a4e

SHA1
7cc55fd8ac9beeedff4b42acbe7a99d0559f178c

SHA256
860e81e337b378b1d03c4f9205ef876d901e44758d7068a43f7d80eaec9c59aa

SHA512
ba120dda31785f9ff6d9c4ba55eee99c8c0fffa7cc84afac054387da49dd5085e454996a4acd9018cfb4eea887e7610b6265533b9be8bbb2c5063ed071bb9e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6DED.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6DED.tmp

Filesize
21B

MD5
8971b7a691c3fa70cb038019ee564845

SHA1
bdffd99c78750e7832d7d1e0cdee6c08c089ecb5

SHA256
612365d1000c11e69ee5ecd1faa7dc59078993959c48b7916a580b7bd3cbf587

SHA512
ee51ddd485220a130dbd4ae28f47f7bb990ca989deaabd5467b2f446cba05b2e600e1c04414e844c94bdc0b68bdfc2618e8aa410401cbb640c59831b8f9647d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6DED.tmp

Filesize
65B

MD5
1bd5509d17a385dbcebec5b71de8dffc

SHA1
9d70c3f205dddda5e33e5de97c0a09feb6836130

SHA256
2bad3065546719b1e5ff58cb7ca6231b6cb669fb1fd06fb30102e9df00d63e60

SHA512
ca43f9d62ad2c3b950b816274869a1c0bd22b77bbb80fc810783ef23b9317362132fb2f29510bb51f4d00940d8c9038b5700560b6f1e38722b2e65037c148bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq6E5E.tmp

Filesize
60B

MD5
ba3e888ad97b8bf3fc0e20a95a689988

SHA1
a1a040304b8a08ce555a2ff635d808f935fdd8b5

SHA256
ed8dcce5089b966bf7c29610daac67f24735587c740b68d4ccce60fe7d7b7438

SHA512
01f0d4118b8bb4f3267cf277fa9af23202d0e35b27530c8dbd2e696666b33f4030114558dc2fe2d1d5ed7b769f2aec9060dc172a5940ce11d6425b2a7420a08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6E2D.tmp\System.dll

Filesize
12KB

MD5
9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1
97332a2ffcf12a3e3f27e7c05213b5d7faa13735

SHA256
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

SHA512
26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6E2E.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
memory/4236-578-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4236-589-0x00000000727B0000-0x0000000072F60000-memory.dmp

Filesize
7.7MB

Download
memory/4236-595-0x000000003A300000-0x000000003A30A000-memory.dmp

Filesize
40KB

Download
memory/4236-569-0x00000000016C0000-0x0000000005F2B000-memory.dmp

Filesize
72.4MB

Download
memory/4236-570-0x0000000077948000-0x0000000077949000-memory.dmp

Filesize
4KB

Download
memory/4236-571-0x0000000077965000-0x0000000077966000-memory.dmp

Filesize
4KB

Download
memory/4236-594-0x000000003A210000-0x000000003A2A2000-memory.dmp

Filesize
584KB

Download
memory/4236-579-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4236-580-0x00000000778C1000-0x00000000779E1000-memory.dmp

Filesize
1.1MB

Download
memory/4236-582-0x00000000727BE000-0x00000000727BF000-memory.dmp

Filesize
4KB

Download
memory/4236-581-0x00000000016C0000-0x0000000005F2B000-memory.dmp

Filesize
72.4MB

Download
memory/4236-583-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/4236-584-0x0000000038CE0000-0x0000000039284000-memory.dmp

Filesize
5.6MB

Download
memory/4236-585-0x0000000039290000-0x000000003932C000-memory.dmp

Filesize
624KB

Download
memory/4236-586-0x00000000727B0000-0x0000000072F60000-memory.dmp

Filesize
7.7MB

Download
memory/4236-588-0x00000000727BE000-0x00000000727BF000-memory.dmp

Filesize
4KB

Download
memory/4236-592-0x0000000039C80000-0x000000003A1AC000-memory.dmp

Filesize
5.2MB

Download
memory/4236-590-0x0000000039890000-0x0000000039A52000-memory.dmp

Filesize
1.8MB

Download
memory/4236-591-0x0000000039A70000-0x0000000039AC0000-memory.dmp

Filesize
320KB

Download
memory/5680-567-0x00000000778C1000-0x00000000779E1000-memory.dmp

Filesize
1.1MB

Download
memory/5680-566-0x00000000778C1000-0x00000000779E1000-memory.dmp

Filesize
1.1MB

Download
memory/5680-568-0x0000000074725000-0x0000000074726000-memory.dmp

Filesize
4KB

Download