guloader | 11c0447506a592e4150aaaac547752f0726123361e4c152382d34522df6f075a

Analysis

max time kernel
119s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Honorarios_ 2025-04-14.exe
Size

679KB
MD5

f9d5459e950a2b3f401b9b4b4e5c8501
SHA1

931d7959fa3ed26a0a196d6229d04a9250932feb
SHA256

77b87775f59ad5a2564185b6565a5035d14298c3853ac8a70adbb8f10ff3bc8c
SHA512

0cfd3a7e7a041f9fe814804e2c78ee6c19d8abb63ce5523bd3e66f83970c30ad7924d0087a9e579933f38f3429f657aa4271f0ab25b6ac17bb5eaab50894e297
SSDEEP

12288:x+qbdKtjXR/tkhMizqpKPj2xOvp2Y0dWDop0b8i8nqBYmCeuU96ofXt1A7:x+qbdyRlkhdes2xgp2Y0ysYBYmCeyc1+

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7670096613:AAEY0JFb0a1CzByXhvZqUC9W4CQmo9fAmZM/sendMessage?chat_id=7911627152

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2084	Factura Honorarios_ 2025-04-14.exe
2084	Factura Honorarios_ 2025-04-14.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2824	Factura Honorarios_ 2025-04-14.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2084	Factura Honorarios_ 2025-04-14.exe
2824	Factura Honorarios_ 2025-04-14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1540	2824	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura Honorarios_ 2025-04-14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura Honorarios_ 2025-04-14.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2824	Factura Honorarios_ 2025-04-14.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2084	Factura Honorarios_ 2025-04-14.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	Factura Honorarios_ 2025-04-14.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2824	2084	Factura Honorarios_ 2025-04-14.exe	89
PID 2084 wrote to memory of 2824	2084	Factura Honorarios_ 2025-04-14.exe	89
PID 2084 wrote to memory of 2824	2084	Factura Honorarios_ 2025-04-14.exe	89
PID 2084 wrote to memory of 2824	2084	Factura Honorarios_ 2025-04-14.exe	89

C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura Honorarios_ 2025-04-14.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 2300
    3⤵
    - Program crash
    PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2824 -ip 2824
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg7BBB.tmp

Filesize
33B

MD5
d0c16d35895f4a76cb4fa85fc11c6842

SHA1
61d36c5b3fd3f0772608359b7ed9890b0474aee0

SHA256
d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59

SHA512
3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BBB.tmp

Filesize
49B

MD5
1aeb67240bc704bf6cc2fa0a6f52a970

SHA1
0d5cbc71d7e606e7f1a68332be8a7a5a7b4be02d

SHA256
bbd283b5a658ac95e8811c820de41f911e7559e982d9378b5b14c3f7cb5ccb6d

SHA512
c64bdb3c49ff5ca422fe5a4a03fac5145072f7cf692addc23e811ce39c25fc7fcb8e15a07fd770eb8d392d86cfc12c3520b080899a4d2c85646c09b181f2b47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7BBB.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7D44.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7BDB.tmp

Filesize
60B

MD5
96cb2bcf9f67b71516753305f6a047af

SHA1
4287c4403d3f62935c02d3d748212a3a54e03b12

SHA256
be8a1df4efd21b4cabb5b1ef06fff3d42def2d0b0975b0e5bf280c2f25392544

SHA512
da4cd6010ccda5fc592ca5e14a4b62577b9551f28ad409b931d5df31c63892ca9bae98f57fd856031f636fe39f78b92310c12cc5606609fd065e90a12db10acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7B5B.tmp

Filesize
65B

MD5
1bd5509d17a385dbcebec5b71de8dffc

SHA1
9d70c3f205dddda5e33e5de97c0a09feb6836130

SHA256
2bad3065546719b1e5ff58cb7ca6231b6cb669fb1fd06fb30102e9df00d63e60

SHA512
ca43f9d62ad2c3b950b816274869a1c0bd22b77bbb80fc810783ef23b9317362132fb2f29510bb51f4d00940d8c9038b5700560b6f1e38722b2e65037c148bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7B5B.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7B5B.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7B5B.tmp

Filesize
28B

MD5
2490402a1d7d19949dd2a237b95af06f

SHA1
9a960e98c750e3fc7e44cdd6e1af20e690d893b1

SHA256
bb92b5197bb4677950b78f816a8170797d0392af55e31d0f0744fe9c99f7e9b8

SHA512
f3d299910eee8e8ace51ae3e7d79d12f7f68bfbcdaa0d7b8b66d505c4bdba7d95a97aeefc9f22868989115a99f81e0e3e9480e0d3e9af5fa27d2d9b0e961b52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7B5B.tmp

Filesize
51B

MD5
25e25dd5339a5ffa3029882c78781ba5

SHA1
4a3f9570af7ac769c1ed9f3f6635610f580f25a2

SHA256
95d99ced3262b6abe20846c575046294e0cace752cab5ab2067c4b78982ab61b

SHA512
7c5ad14c5c038c871576fadd2f7ca1c04425fe7536c0e94e7817197ec43a732369b31ef42ef194c2e44b52dfb55237a3b6a5663e17b106482a7a22f1434f2bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7B5B.tmp

Filesize
55B

MD5
2598d3e10bec5798f73f49de505a8514

SHA1
4431b20a112e277250649a917f846a6627870a60

SHA256
08643cfe1a514214ae4175809b7eadbc0bff209e07adf091e91748dccf9ca874

SHA512
83687d6fb3238184b92f04cc70e54ede282d56e34f67781db6c4dfd9529cab30ba15d9ca3059b68f9d82eb87a8d6432e80ba0779d1438c1df861b0bb30905f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BAA.tmp\System.dll

Filesize
12KB

MD5
9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1
97332a2ffcf12a3e3f27e7c05213b5d7faa13735

SHA256
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

SHA512
26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BFB.tmp

Filesize
15B

MD5
64c34dda0003aa56030f5cef66dd8616

SHA1
8f3f9e66c5b9d35715b3c6d8aa800450f6db95fb

SHA256
a3f3ef6dbcdd25537eb2d093b42fcb85c2e84522ae1aab7bf924dc00eb3ef870

SHA512
0f01df79160393b6e7c6ea2d302bd9c1613a269ca0cb09d300d6c98dbff12e0aa3456e89c16842de77353c32edb4df565ac0709a66dc48375088f8dbba3b277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BFB.tmp

Filesize
26B

MD5
17425c43be7fbedcbfb1934f0dc3e914

SHA1
8217a08d1c7fdbf5499aa5297e476cf38c12b8a6

SHA256
2e731782503bbf3b2fa333ff6e2da7c873dfeb1d11a25c5e7a013c11fb7028a1

SHA512
3a8a521c6c0fd50b15fb086a3bbc9d03b048c06350cc2812f214fcc73720c5f6d931fce0889ed4f36d8f3fb1402ebe2f23167b206e18d969296658d28971aed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BFB.tmp

Filesize
39B

MD5
27d69414e55cfeb6ac505d4a2c0e7d59

SHA1
4614012ca11d5cf2d8a1db03aacd2989a8e09d45

SHA256
4f161e0306335d739502bf5ebe68f4135a5ac99ed2a13219305bbe83b18be36d

SHA512
65abc72bb0ed47bac89e8bd3664fb9864391af2747b12d30c0a8a38bad56c8419ae2bda5846a99299093bc8c1e7b73f2bbb8033ac01cd90aa3e36eae74c311ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BFB.tmp

Filesize
44B

MD5
4c3b16505f10bbe1182cde3d90665d28

SHA1
3f3463de0ff2c366d4032831e2b418ca32d96eba

SHA256
4c023ffa44943e882744067031d415c36033c4bad92d987aa7be5913c863b1af

SHA512
8293485b5e427b34bd01d029973e3d0baaf9ec37b652af0efc7fc16d7d13824fc5cc492fac942f04023339850e996a161a06720d5074cc38a24ad243a4911429

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BFB.tmp

Filesize
50B

MD5
ed4f9cb6627dc8981dd41bf3fe45a9a2

SHA1
ef6975b193809fa457b7a5e49c54e2eb0f16aa05

SHA256
4190398435cc5588317fe68c6d2e2e544e1eca24dbf3b6b203afd91f4b8f163a

SHA512
f7d537bb73998c1236519d4592163aac722d36ed5d6b85a2e1a807867f2fc41c3f5d693c352228c841792561d055c56ffa220b7592f4de2a79ea1529a37dc5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7BFB.tmp

Filesize
56B

MD5
46afbdbeaa75354cac7bb848076da26b

SHA1
4c737d3a1b4d52123877e1eff5c10204ea3e958e

SHA256
9dd741c9e0dbac1414a9c6ff7fb56344118eccd00b982882dd3f7db27c5c5a4d

SHA512
56ee260b4338da6ab0ff461cf053fc1a9473eb2a9b75ae7bc91e7fb4c796d74a8a7f6ee3d463b7b2d8b758a195282b6f6a134ccb98f9144a465eca811cee6f6b

Download Submit
memory/2084-566-0x0000000077A41000-0x0000000077B61000-memory.dmp

Filesize
1.1MB

Download
memory/2084-567-0x0000000077A41000-0x0000000077B61000-memory.dmp

Filesize
1.1MB

Download
memory/2084-568-0x00000000748A5000-0x00000000748A6000-memory.dmp

Filesize
4KB

Download
memory/2824-569-0x00000000016C0000-0x00000000068DE000-memory.dmp

Filesize
82.1MB

Download
memory/2824-570-0x0000000077AC8000-0x0000000077AC9000-memory.dmp

Filesize
4KB

Download
memory/2824-571-0x0000000077AE5000-0x0000000077AE6000-memory.dmp

Filesize
4KB

Download
memory/2824-580-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/2824-581-0x0000000077A41000-0x0000000077B61000-memory.dmp

Filesize
1.1MB

Download
memory/2824-583-0x000000007293E000-0x000000007293F000-memory.dmp

Filesize
4KB

Download
memory/2824-584-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/2824-585-0x0000000039850000-0x0000000039DF4000-memory.dmp

Filesize
5.6MB

Download
memory/2824-586-0x0000000006970000-0x0000000006A0C000-memory.dmp

Filesize
624KB

Download
memory/2824-582-0x00000000016C0000-0x00000000068DE000-memory.dmp

Filesize
82.1MB

Download
memory/2824-587-0x0000000072930000-0x00000000730E0000-memory.dmp

Filesize
7.7MB

Download
memory/2824-590-0x0000000072930000-0x00000000730E0000-memory.dmp

Filesize
7.7MB

Download