guloader | 9626a23f54ddd20eb8ca9b910f97954504f1676b71df8150f8f9a5e0d6072f88

Analysis

max time kernel
147s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Confirmacinpedido1211073874.exe
Size

643KB
MD5

7c012ccbe118eb2b08418c0bc8225052
SHA1

dd1c854c64a6d3e3265cc648d578c5f4acf4df8e
SHA256

9626a23f54ddd20eb8ca9b910f97954504f1676b71df8150f8f9a5e0d6072f88
SHA512

09d3bbbc1850fd8eb16fd7409ac269361dadf670cb887c38bd170c7da363d9e2cd97364e960152451690f0396dd3fef71a2add8c480e032d093e3bccc047fdfd
SSDEEP

12288:u+qBlcJ90annNzz5FZz/dops9FcUF8xaJ9BcHUepC2mCeubt1AW:u+qXWhNnBdopCcYcQBcHrC2mCek1AW

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019
Email To:
[email protected]

https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
5884	Confirmacinpedido1211073874.exe
5884	Confirmacinpedido1211073874.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Confirmacinpedido1211073874.exe
Key opened	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Confirmacinpedido1211073874.exe
Key opened	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Confirmacinpedido1211073874.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
13	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	checkip.dyndns.org
27	reallyfreegeoip.org
28	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4160	Confirmacinpedido1211073874.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5884	Confirmacinpedido1211073874.exe
4160	Confirmacinpedido1211073874.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmacinpedido1211073874.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmacinpedido1211073874.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4160	Confirmacinpedido1211073874.exe
4160	Confirmacinpedido1211073874.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5884	Confirmacinpedido1211073874.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	Confirmacinpedido1211073874.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5884 wrote to memory of 4160	5884	Confirmacinpedido1211073874.exe	91
PID 5884 wrote to memory of 4160	5884	Confirmacinpedido1211073874.exe	91
PID 5884 wrote to memory of 4160	5884	Confirmacinpedido1211073874.exe	91
PID 5884 wrote to memory of 4160	5884	Confirmacinpedido1211073874.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Confirmacinpedido1211073874.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Confirmacinpedido1211073874.exe

C:\Users\Admin\AppData\Local\Temp\Confirmacinpedido1211073874.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmacinpedido1211073874.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5884
- C:\Users\Admin\AppData\Local\Temp\Confirmacinpedido1211073874.exe
  "C:\Users\Admin\AppData\Local\Temp\Confirmacinpedido1211073874.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4160

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb710A.tmp

Filesize
70B

MD5
f603843c4b1146c576a2c9e0826de265

SHA1
5de71ba33c20cfb74c19c706a4a44706d78fb102

SHA256
ada9d1ffc0e78d2e2c05290b4ba1b1b04bc9c97a8f8e084ae0d49e36a9bb9c0c

SHA512
7a5a8ebc1c12193783ae711eb4716c1a2e52d1c4799dcd7f2a29924c246b1c665f456de3eaffd5e9cd7f42e788009e2798d1121c8d695698c86349bff17d5e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb710A.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb710A.tmp

Filesize
11B

MD5
bad78a997013818e85c1091ce1f575e0

SHA1
fa7b6b576c9b365194a222dfd1d3805121544fd3

SHA256
e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d

SHA512
c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7159.tmp\System.dll

Filesize
12KB

MD5
9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1
97332a2ffcf12a3e3f27e7c05213b5d7faa13735

SHA256
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

SHA512
26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7219.tmp

Filesize
9B

MD5
bc86ffa91686a2ee2ac3cc3d50c4389e

SHA1
6d81aa156225f8df56a7711519ac3ff87abec24f

SHA256
9e56c757510a69c7ee47407dbda53e8d8b983755854362df4dbcad941696dceb

SHA512
5c54242e478199a95f615af1ac74fda63f4a1a1e22ef5799dc552ed432320adb20df54f9083cee1ee7c2d8ef2792f0f12e579229b7c64ffb74952e3044f4b7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7219.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm719A.tmp

Filesize
54B

MD5
afdee2aebb0cda7a1671c55bcb9ac8a1

SHA1
11501296e17c61a41acf034ce8f795ffb06f329b

SHA256
484063f7f056f4116d6eb063487186ddfdc33f3f0936527f016f5f5f37a7d34a

SHA512
8d06a85c093802469baed0a1e7a77182619d05b71e37c074f1cf1cc59c3d9e57e12ceaf5e55986d5c13954f04a82f4f0461cda943b5c09e6b763a41d507ab323

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm719A.tmp

Filesize
57B

MD5
d1c3468990ba6545d9b82b7c370fe82c

SHA1
6f11f46134240ebc62bdc4565c08aaab9af11b69

SHA256
bfe3d8872c4c7cd238457625483e81e61ea3e7f8f6dcf95ff825af2284a2f5a2

SHA512
aab6a7a74d4ab54ef8db9c6f6c5d88f3e1fdb6d9deafadc3a06d8340e969dbe77ab3bb9f9aa75d68f99b17a7d4a9b0bbcc493fd07e05a2f2985231d08a58b8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr716A.tmp

Filesize
30B

MD5
f7bcbbddb5cb20fdfce72f842cacabe1

SHA1
031c00c0eb114ed2234679c39cb34fdbb9debfb3

SHA256
35dad955ee2ccfe66eb80d670721acf7f83915f1204f07d449aace9c9ca1f2e3

SHA512
2bdb271d96cece4289dec71c02b30a64e509e1e93f25168fd78c72b8197937cc398df0ece30dabc2253129621b8108ed38fa9b2ced12e70ff3f9c5f8ae7b0b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr716A.tmp

Filesize
38B

MD5
874eecec3fc35024420ce6005d6991bf

SHA1
743f31a53191481b4d1e95cc5d4330c123e69a0a

SHA256
1feb2f5544655440d6bdf724776f3fc7b9c9dfb226fe96385423579e03954626

SHA512
b5b5ecceeb820a519b3bd277265ed874def5a0a16d1a13af5d60e709cc7e8c8fdfd7a7b7ba694943d00e7a30fb9c267258fd1ed57418c5187acb42177bbe6c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr716A.tmp

Filesize
44B

MD5
a34dd33a1fabfd2c2a268ca5dafab94f

SHA1
4d321237095816d8ad7a3e8c16154286bcb161e9

SHA256
dfc902cecc7c8eba5bd0d37e27541823ba74c67ac26cd263568f9b4880ab6f1b

SHA512
e22f1a71835ce0fd8add953d182b1999f65db2c8c434beadc7e1db39dda17ddf669c8bd2ba266b17c0b6eac4cf44480b307b17fbc32b1521a505c49bab5af7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr716A.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D9.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw71D9.tmp

Filesize
56B

MD5
74ad0c87db7baa279a964c5a22fedaa9

SHA1
2a2559f6843c8cd018faa8c5dd234ffd64544cac

SHA256
a3ada9ffefd107a732993a1f25a38d4a88e7a80ea9fbe670a0eb5d1d6880a670

SHA512
b86e529221a884a4ddacd2e14ee2907dea99583947b963439e962499ef9a15c6d9b6efdad720fdaca60c0470470baa2e98307755d33b64a85fc1b1d56f978f2a

Download Submit
memory/4160-582-0x00000000016C0000-0x000000000266B000-memory.dmp

Filesize
15.7MB

Download
memory/4160-581-0x0000000077791000-0x00000000778B1000-memory.dmp

Filesize
1.1MB

Download
memory/4160-593-0x0000000032CA0000-0x0000000032CAA000-memory.dmp

Filesize
40KB

Download
memory/4160-592-0x0000000032BB0000-0x0000000032C42000-memory.dmp

Filesize
584KB

Download
memory/4160-570-0x00000000016C0000-0x000000000266B000-memory.dmp

Filesize
15.7MB

Download
memory/4160-571-0x0000000077818000-0x0000000077819000-memory.dmp

Filesize
4KB

Download
memory/4160-572-0x0000000077835000-0x0000000077836000-memory.dmp

Filesize
4KB

Download
memory/4160-579-0x00000000016C0000-0x000000000266B000-memory.dmp

Filesize
15.7MB

Download
memory/4160-580-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4160-590-0x00000000363C0000-0x00000000368EC000-memory.dmp

Filesize
5.2MB

Download
memory/4160-589-0x0000000035C90000-0x0000000035CE0000-memory.dmp

Filesize
320KB

Download
memory/4160-583-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/4160-584-0x00000000354D0000-0x0000000035A74000-memory.dmp

Filesize
5.6MB

Download
memory/4160-585-0x0000000035A80000-0x0000000035B1C000-memory.dmp

Filesize
624KB

Download
memory/4160-588-0x0000000036030000-0x00000000361F2000-memory.dmp

Filesize
1.8MB

Download
memory/5884-566-0x00000000051F0000-0x000000000619B000-memory.dmp

Filesize
15.7MB

Download
memory/5884-567-0x0000000077791000-0x00000000778B1000-memory.dmp

Filesize
1.1MB

Download
memory/5884-569-0x00000000745F5000-0x00000000745F6000-memory.dmp

Filesize
4KB

Download
memory/5884-568-0x0000000077791000-0x00000000778B1000-memory.dmp

Filesize
1.1MB

Download