guloader | cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87

General

Target

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
Size

993KB
Sample

241105-exekqsvfml
MD5

109999f2dd1c17c2f9824fe52d15857b
SHA1

ccc28bea9a2d7f888291a3ff846a6f820509f1a8
SHA256

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87
SHA512

9c260cd2764d4a6b33b2a119825c6ce0e3e759cecf02adfe10e1ed72d0e2e5e86de4f5660437c1bbadb9e53a76bd74e3966054daff3b3d7b9a173c98a58d4d26
SSDEEP

12288:tqiMp5vpmVSD/bqepRjrByHHjXEbDbMifHzF6rWowo3lItWMTCJqCOl1:RMqObqe7jrmHjXEPbMifTcrh9+tW40O3

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
cp1.virtualine.org
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Targets

- Target
  
  cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
- Size
  
  993KB
- MD5
  
  109999f2dd1c17c2f9824fe52d15857b
- SHA1
  
  ccc28bea9a2d7f888291a3ff846a6f820509f1a8
- SHA256
  
  cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87
- SHA512
  
  9c260cd2764d4a6b33b2a119825c6ce0e3e759cecf02adfe10e1ed72d0e2e5e86de4f5660437c1bbadb9e53a76bd74e3966054daff3b3d7b9a173c98a58d4d26
- SSDEEP
  
  12288:tqiMp5vpmVSD/bqepRjrByHHjXEbDbMifHzF6rWowo3lItWMTCJqCOl1:RMqObqe7jrmHjXEPbMifTcrh9+tW40O3
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  6ad39193ed20078aa1b23c33a1e48859
- SHA1
  
  95e70e4f47aa1689cc08afbdaef3ec323b5342fa
- SHA256
  
  b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2
- SHA512
  
  78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b
- SSDEEP
  
  96:qIsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9Fug:ZVL7ikJb76BQUoUm+RnyXVYO2RvHFug
Score

3^/10

discovery
behavioral3 behavioral4