Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-g3zh7s1wey
Target 01072025_0620_26062025_JUSTIFICANTE DE PAGO.rar
SHA256 1128b81c3594f37f526d03bf96e6a604b0771dc0972b20ddab1a8eecbf002990
Tags
guloader vipkeylogger discovery downloader keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1128b81c3594f37f526d03bf96e6a604b0771dc0972b20ddab1a8eecbf002990

Threat Level: Known bad

The file 01072025_0620_26062025_JUSTIFICANTE DE PAGO.rar was found to be: Known bad.

Malicious Activity Summary

guloader vipkeylogger discovery downloader keylogger stealer

Guloader,Cloudeye

VIPKeylogger

Guloader family

Vipkeylogger family

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 06:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 06:20

Reported

2025-07-01 06:25

Platform

win10v2004-20250619-en

Max time kernel

159s

Max time network

289s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\expired\fortjet.ini C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 2272

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nse5EAB.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nse5EAB.tmp\LangDLL.dll

MD5 30b091668111ab1d6c19f16586a9eee5
SHA1 aea49d81cf9972eaf1604793c04d13ddffe2c475
SHA256 331ca4b3a311324b463167ec43851146e57a2d90500ac3fd57a7683f6b777ffb
SHA512 6dd592af085b2e28c54d7f525916112dbf5cfe134393b0b97f8f1f64739cf90962273c51f02e8ce2c623cf6aa8355eacda5db0b0256d8f05a77ccf0f99d11648

memory/224-41-0x0000000004040000-0x0000000005AF3000-memory.dmp

memory/224-42-0x0000000004040000-0x0000000005AF3000-memory.dmp

memory/224-43-0x0000000010004000-0x0000000010005000-memory.dmp

memory/224-44-0x0000000004040000-0x0000000005AF3000-memory.dmp

memory/1568-45-0x0000000001730000-0x00000000031E3000-memory.dmp

memory/1568-46-0x0000000077B98000-0x0000000077B99000-memory.dmp

memory/1568-47-0x0000000077C39000-0x0000000077C3A000-memory.dmp

memory/1568-57-0x00000000004D0000-0x0000000001724000-memory.dmp

memory/1568-58-0x00000000004D0000-0x000000000051A000-memory.dmp

memory/1568-59-0x0000000035DD0000-0x0000000036374000-memory.dmp

memory/1568-60-0x0000000035BF0000-0x0000000035C8C000-memory.dmp

memory/1568-62-0x0000000001730000-0x00000000031E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 06:20

Reported

2025-07-01 06:25

Platform

win11-20250619-en

Max time kernel

101s

Max time network

212s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\expired\fortjet.ini C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4640 -ip 4640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 440

Network

Files

C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\LangDLL.dll

MD5 30b091668111ab1d6c19f16586a9eee5
SHA1 aea49d81cf9972eaf1604793c04d13ddffe2c475
SHA256 331ca4b3a311324b463167ec43851146e57a2d90500ac3fd57a7683f6b777ffb
SHA512 6dd592af085b2e28c54d7f525916112dbf5cfe134393b0b97f8f1f64739cf90962273c51f02e8ce2c623cf6aa8355eacda5db0b0256d8f05a77ccf0f99d11648

memory/3668-41-0x00000000042D0000-0x0000000005D83000-memory.dmp

memory/3668-42-0x00000000042D0000-0x0000000005D83000-memory.dmp

memory/3668-43-0x0000000010004000-0x0000000010005000-memory.dmp

memory/3668-44-0x00000000042D0000-0x0000000005D83000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-01 06:20

Reported

2025-07-01 06:25

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

213s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-01 06:20

Reported

2025-07-01 06:25

Platform

win11-20250619-en

Max time kernel

100s

Max time network

211s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 5768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2636 wrote to memory of 5768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2636 wrote to memory of 5768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5768 -ip 5768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 448

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-01 06:20

Reported

2025-07-01 06:25

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

213s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5724 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5724 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5724 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-01 06:20

Reported

2025-07-01 06:25

Platform

win11-20250619-en

Max time kernel

223s

Max time network

290s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4916 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4916 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 460

Network

Files

N/A