guloader | cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87 | Triage

Sharing

General

Target

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
Size

993KB
Sample

241104-sww1aaseqp
MD5

109999f2dd1c17c2f9824fe52d15857b
SHA1

ccc28bea9a2d7f888291a3ff846a6f820509f1a8
SHA256

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87
SHA512

9c260cd2764d4a6b33b2a119825c6ce0e3e759cecf02adfe10e1ed72d0e2e5e86de4f5660437c1bbadb9e53a76bd74e3966054daff3b3d7b9a173c98a58d4d26
SSDEEP

12288:tqiMp5vpmVSD/bqepRjrByHHjXEbDbMifHzF6rWowo3lItWMTCJqCOl1:RMqObqe7jrmHjXEPbMifTcrh9+tW40O3

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
cp1.virtualine.org
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Targets

- Target
  
  cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
- Size
  
  993KB
- MD5
  
  109999f2dd1c17c2f9824fe52d15857b
- SHA1
  
  ccc28bea9a2d7f888291a3ff846a6f820509f1a8
- SHA256
  
  cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87
- SHA512
  
  9c260cd2764d4a6b33b2a119825c6ce0e3e759cecf02adfe10e1ed72d0e2e5e86de4f5660437c1bbadb9e53a76bd74e3966054daff3b3d7b9a173c98a58d4d26
- SSDEEP
  
  12288:tqiMp5vpmVSD/bqepRjrByHHjXEbDbMifHzF6rWowo3lItWMTCJqCOl1:RMqObqe7jrmHjXEPbMifTcrh9+tW40O3
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  6ad39193ed20078aa1b23c33a1e48859
- SHA1
  
  95e70e4f47aa1689cc08afbdaef3ec323b5342fa
- SHA256
  
  b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2
- SHA512
  
  78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b
- SSDEEP
  
  96:qIsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9Fug:ZVL7ikJb76BQUoUm+RnyXVYO2RvHFug
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

behavioral2

guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

behavioral3

behavioral4