guloader | 422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e

General

Target

422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e
Size

684KB
Sample

241117-cpxegaxrht
MD5

679962fd58f49f4d2f57a70a60aa287d
SHA1

3e3a3e5bc5e49ab7212e5ae5f340dd820fccd643
SHA256

422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e
SHA512

597a1678322ade7c14d1181b9a2e4e09a7a9f841d5c2f3f0e0e64c40801eec25112dca1c5eaf53834dd1fdf8f5003f69d64e6cf5dd4ea46e42c73018690d4348
SSDEEP

12288:aMwa4IgEP4mLbAcLit9eIAnZ21gvG4nwNtsgw3PgAeeVhGctb7U:aMwa4BEP3Qc+t9eIAnEgB2Mobej7U

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.foodex.com.pk
Port:
587
Username:
[email protected]
Password:
wajahat1975

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.foodex.com.pk
Port:
587
Username:
[email protected]
Password:
wajahat1975
Email To:
[email protected]

Targets

- Target
  
  422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e
- Size
  
  684KB
- MD5
  
  679962fd58f49f4d2f57a70a60aa287d
- SHA1
  
  3e3a3e5bc5e49ab7212e5ae5f340dd820fccd643
- SHA256
  
  422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e
- SHA512
  
  597a1678322ade7c14d1181b9a2e4e09a7a9f841d5c2f3f0e0e64c40801eec25112dca1c5eaf53834dd1fdf8f5003f69d64e6cf5dd4ea46e42c73018690d4348
- SSDEEP
  
  12288:aMwa4IgEP4mLbAcLit9eIAnZ21gvG4nwNtsgw3PgAeeVhGctb7U:aMwa4BEP3Qc+t9eIAnEgB2Mobej7U
Score

10^/10

guloader discovery downloader vipkeylogger collection keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  564bb0373067e1785cba7e4c24aab4bf
- SHA1
  
  7c9416a01d821b10b2eef97b80899d24014d6fc1
- SHA256
  
  7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
- SHA512
  
  22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
- SSDEEP
  
  192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score

3^/10

discovery
behavioral3 behavioral4