guloader | f84832a0fa532ccb9bbd31b6e5a6a7746e582124c2f982b60930fe583f2e4cff

Analysis

max time kernel
299s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Honorarios_ 2025-04-14..exe
Size

645KB
MD5

619e2fa8cf181dcce7df16e5fee4065a
SHA1

7c72e48804fbd2bd8b4f28e69f916d910afd5cc7
SHA256

8e6c5f4651741758b6b141da89e4c27fa244eccce3d9beaf4b1ae0e48f13d5a0
SHA512

9840537924bf3858b21771945798f49b2e907b8efee4fe4e7ae5a0762c5ff451543b95d9750e31d0203ec485da45535c03d8cfbeba88ca70533ddb19ac4ad303
SSDEEP

12288:u+q6+b0201LM+OryHE3WrRMnSUO8nmCeud3f2KHTlt1A:u+qlA20WyGEyltnmCe8fJ31A

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7940557245:AAGEVNBuuGDhlbTi3PPq7irUInwmQ9JgMqQ/sendMessage?chat_id=7590946867

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
5876	Factura Honorarios_ 2025-04-14..exe
5876	Factura Honorarios_ 2025-04-14..exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios_ 2025-04-14..exe
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios_ 2025-04-14..exe
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios_ 2025-04-14..exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
17	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	checkip.dyndns.org
31	reallyfreegeoip.org
32	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4004	Factura Honorarios_ 2025-04-14..exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5876	Factura Honorarios_ 2025-04-14..exe
4004	Factura Honorarios_ 2025-04-14..exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura Honorarios_ 2025-04-14..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura Honorarios_ 2025-04-14..exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4004	Factura Honorarios_ 2025-04-14..exe
4004	Factura Honorarios_ 2025-04-14..exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5876	Factura Honorarios_ 2025-04-14..exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	Factura Honorarios_ 2025-04-14..exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5876 wrote to memory of 4004	5876	Factura Honorarios_ 2025-04-14..exe	93
PID 5876 wrote to memory of 4004	5876	Factura Honorarios_ 2025-04-14..exe	93
PID 5876 wrote to memory of 4004	5876	Factura Honorarios_ 2025-04-14..exe	93
PID 5876 wrote to memory of 4004	5876	Factura Honorarios_ 2025-04-14..exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios_ 2025-04-14..exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Factura Honorarios_ 2025-04-14..exe

C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14..exe
"C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14..exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5876
- C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14..exe
  "C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14..exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4004

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc8D30.tmp

Filesize
52B

MD5
56b966ad3245835be841fc60917e232b

SHA1
2b80a956bb91eaedbc4e0c553c46a50fd6ce75bc

SHA256
a24b0b5952569c13481d539f84dfa956156b6a9cbaf0ff50a62fbe2ecd81cc17

SHA512
67e3f1946fb3bdabaaa1316d83e4d003d7acfbcc18cce6de8b45e6223770c0e2bd92220fda1aa780d6008abf90f6ba619e37feaf65fa431bf6c7a8b69328c321

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8D30.tmp

Filesize
60B

MD5
6003c892b3f3e6857b44804bb171e32b

SHA1
e5388e8d8163b149dcc9c496a3bf2a4a23a0ad77

SHA256
6aca13da7c0fef80812c437ed6ebfc24e9ab6dc53f36b8f42c6b7071f84e3ca8

SHA512
e935627de21df33244c6aed2fdd8e2d8750bdff40574c1063c02334e2059649b7338e1ff2732efb8b0b0110e53e0a67c25390ee8de314b601aa13e37095cf4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D01.tmp

Filesize
16B

MD5
299751a30a50b5a6b62371c27fc4e478

SHA1
2a016fdba9876a7aade76bff3c4780633d5e6ef4

SHA256
0d4b1effa5ab30d5f6d9e6b1bd6de429d4a25075dbdf2f28d67beab72f6bff0e

SHA512
6917664885b34990ded6171ea01bfb2e1ff67e38455bee9d75e80d3905db7e7199679ae3761e290062e679ccf2555804b0ec1a59a5fd74c5069857c3326264e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D01.tmp

Filesize
27B

MD5
0ec6691c283ddc7f19331d3c214c58d2

SHA1
5b30d6927130c7a3ce16dfa809238c6f6fc61e6f

SHA256
1bf567e8c29ff4bd0866da8a312c38c4c2ffabf6916a87fa7bc7bbba2b42db36

SHA512
8ea2702bd97781067bdfe3008e9aa1da303db56b8d03bd076823308d299e369b2d989708ea707b5c4a51b96d3d07001e7f0c3d9767f08933fde0f9feba28493f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D01.tmp

Filesize
33B

MD5
d0c16d35895f4a76cb4fa85fc11c6842

SHA1
61d36c5b3fd3f0772608359b7ed9890b0474aee0

SHA256
d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59

SHA512
3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D01.tmp

Filesize
51B

MD5
b61b2f1546b29486a8a0d25e1cba7721

SHA1
c19a4677b46a71e1624d77b3af0af2411c57f6b1

SHA256
15f6b52edd0bf33f8fbc357d9fdc3287d97e51227eeb0a21dc58a3337d9fa692

SHA512
429c3b7917cd2ef31765683ac06f434aa5081e0113ccad168312a696e3c66ba36834113068f6ef2e291918db80617d347ea1f5c81c32b0f17702925407779cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D01.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CA1.tmp

Filesize
51B

MD5
25e25dd5339a5ffa3029882c78781ba5

SHA1
4a3f9570af7ac769c1ed9f3f6635610f580f25a2

SHA256
95d99ced3262b6abe20846c575046294e0cace752cab5ab2067c4b78982ab61b

SHA512
7c5ad14c5c038c871576fadd2f7ca1c04425fe7536c0e94e7817197ec43a732369b31ef42ef194c2e44b52dfb55237a3b6a5663e17b106482a7a22f1434f2bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CA1.tmp

Filesize
68B

MD5
acc8e2dc8ef177e828af296be96c6a4e

SHA1
7cc55fd8ac9beeedff4b42acbe7a99d0559f178c

SHA256
860e81e337b378b1d03c4f9205ef876d901e44758d7068a43f7d80eaec9c59aa

SHA512
ba120dda31785f9ff6d9c4ba55eee99c8c0fffa7cc84afac054387da49dd5085e454996a4acd9018cfb4eea887e7610b6265533b9be8bbb2c5063ed071bb9e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CA1.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CA1.tmp

Filesize
45B

MD5
5bc80a3e025e6d7c0ff9536d7af1c8b1

SHA1
c7dca5ef716161e30829bcfe28b59ec430fdbec0

SHA256
8d563467c54bb057b01f2366722a14e9416510bf4955afa746cbeb2f221312fc

SHA512
cca0649c6cc7a92de2c46bf64084bce5e0ce44ef5acbdcb7527231d5372d74b0a1b3d0856ecfa0d32a5a0fbf5219df8117b14bec29d513fb55da0d1f25a6ad8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CF0.tmp\System.dll

Filesize
12KB

MD5
9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1
97332a2ffcf12a3e3f27e7c05213b5d7faa13735

SHA256
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

SHA512
26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8E2C.tmp

Filesize
8B

MD5
0aff9fdb7bae79c535cbdbb7f3ecb028

SHA1
cb32be0ca11c3fb6ede60d578af91f0aa21af6e5

SHA256
09db256670b92566a3108f5913d78b8b872c473340abf48cda2af7ca33cec3df

SHA512
f52bb5b8846dadea41f8951a40258813d6c3f40328996945c23c6f4588e7e8bb5bbdd7f83bf0da45b123c14a1c826dd7e4f8439bbe4a9888d238848222530995

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8E2C.tmp

Filesize
11B

MD5
9234653ab7a15a6a77df6d71833b2863

SHA1
40bced20128597a1a694eeb78cfeb926b606a9cf

SHA256
cb9399842dd29519b6a475e7496610bf77edb3c59b56b4a708f0304632c909a8

SHA512
0245b93f0b052ea70e7f5aa2c2b139f833ad40e67eaafa8c1b51421b87f67e7ef8218df07d397e862d6210f941930e71e21c2159e01fbd415a42c5eec9c48c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8E2C.tmp

Filesize
16B

MD5
ebceb0a1fed026e3e34e7b8da2d4a813

SHA1
792fda9449b9d86f592c58b90ac24df15db59e45

SHA256
36be9a2540809bed9173f5517226ee7301996dbd5a7b07451a512a0e2ceccc8c

SHA512
cd3534dfb1ea2f0cf392304bcb36ecfb3a4e4125162973974ff9ec4e52c5d0940a734b18f592f7e81459afc2b6e35452163f7068267fc957c4c09894f45f969a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8E2C.tmp

Filesize
22B

MD5
38f296e431f9e889c855110f746a1a1f

SHA1
a1f2212648b7d681e10a295ca270ec6ef9c7cb2a

SHA256
89870b6b02e2247d1e10942aceede7bf4adeb820bae945b77d0e2c5f5669e514

SHA512
a074bd4debd9aa11fc50c3ab1cd5b1aaf365931d790600818ea51a58bfca6ea17feb872a1a11dfd8542cd5e1798bdf171e4305e81e4a409a0253db31c84b91e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8E2C.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8D60.tmp

Filesize
56B

MD5
29a28ce2b1e65d140f33352d68603e6f

SHA1
6c018cc95d5c6145b253dc0ecf7788ba60a186e8

SHA256
703e34699df3afe05877ed93aa2f8d37e2868411d55397a921fb45a0509816a2

SHA512
4285dd432573efdabf9e11d787a75db6eea018c7c427237012e3e0b89a589c1f79c5fb2f437f5d8f5d4af404f8dd72f7d14cc6012b877550f3291f325a0fe1d3

Download Submit
memory/4004-586-0x0000000038880000-0x0000000038E24000-memory.dmp

Filesize
5.6MB

Download
memory/4004-585-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/4004-597-0x0000000039EA0000-0x0000000039EAA000-memory.dmp

Filesize
40KB

Download
memory/4004-569-0x00000000016C0000-0x0000000005982000-memory.dmp

Filesize
66.8MB

Download
memory/4004-570-0x0000000076F78000-0x0000000076F79000-memory.dmp

Filesize
4KB

Download
memory/4004-571-0x0000000076F95000-0x0000000076F96000-memory.dmp

Filesize
4KB

Download
memory/4004-580-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4004-582-0x0000000076EF1000-0x0000000077011000-memory.dmp

Filesize
1.1MB

Download
memory/4004-581-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4004-584-0x0000000071DEE000-0x0000000071DEF000-memory.dmp

Filesize
4KB

Download
memory/4004-583-0x00000000016C0000-0x0000000005982000-memory.dmp

Filesize
66.8MB

Download
memory/4004-596-0x0000000039DB0000-0x0000000039E42000-memory.dmp

Filesize
584KB

Download
memory/4004-594-0x0000000039820000-0x0000000039D4C000-memory.dmp

Filesize
5.2MB

Download
memory/4004-587-0x0000000038E30000-0x0000000038ECC000-memory.dmp

Filesize
624KB

Download
memory/4004-588-0x0000000071DE0000-0x0000000072590000-memory.dmp

Filesize
7.7MB

Download
memory/4004-590-0x0000000071DEE000-0x0000000071DEF000-memory.dmp

Filesize
4KB

Download
memory/4004-591-0x0000000071DE0000-0x0000000072590000-memory.dmp

Filesize
7.7MB

Download
memory/4004-592-0x0000000039450000-0x0000000039612000-memory.dmp

Filesize
1.8MB

Download
memory/4004-593-0x0000000039620000-0x0000000039670000-memory.dmp

Filesize
320KB

Download
memory/5876-566-0x0000000076EF1000-0x0000000077011000-memory.dmp

Filesize
1.1MB

Download
memory/5876-567-0x0000000076EF1000-0x0000000077011000-memory.dmp

Filesize
1.1MB

Download
memory/5876-568-0x0000000073D55000-0x0000000073D56000-memory.dmp

Filesize
4KB

Download