guloader | 00b33c93902d9cb8722957b2512a45196b37284ffd85489e74d973aae7ec1962

General

Target

Korrekturlsning.exe
Size

564KB
Sample

241119-f7gnhs1jev
MD5

092db8e9c1a9c370510f7e33067be9bf
SHA1

38204269d191f5b7745932f8ca05af8c13cba110
SHA256

00b33c93902d9cb8722957b2512a45196b37284ffd85489e74d973aae7ec1962
SHA512

86daa82ad2ff52c35e4e6e13da0ef11da3243ccd56d79614628bf7b7533fc05f23755ca80540c2ec02ed247574c8e653ef0f91c60b58e7f32d092446f9098b2f
SSDEEP

12288:32EIBt4q0c1yIPM9M3NFNPvJlQfkHphGvOvz28i2cK5L/jM+qImd3ZhZU:3wBGLYP1Jlmgph42a8bvTfPmdPZU

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8124032214:AAHsMb8ZSRX6oiufFz1tRalXrmGjYujuzB4/sendMessage?chat_id=6198188190

Targets

- Target
  
  Korrekturlsning.exe
- Size
  
  564KB
- MD5
  
  092db8e9c1a9c370510f7e33067be9bf
- SHA1
  
  38204269d191f5b7745932f8ca05af8c13cba110
- SHA256
  
  00b33c93902d9cb8722957b2512a45196b37284ffd85489e74d973aae7ec1962
- SHA512
  
  86daa82ad2ff52c35e4e6e13da0ef11da3243ccd56d79614628bf7b7533fc05f23755ca80540c2ec02ed247574c8e653ef0f91c60b58e7f32d092446f9098b2f
- SSDEEP
  
  12288:32EIBt4q0c1yIPM9M3NFNPvJlQfkHphGvOvz28i2cK5L/jM+qImd3ZhZU:3wBGLYP1Jlmgph42a8bvTfPmdPZU
Score

10^/10

guloader vipkeylogger discovery downloader keylogger persistence stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10

discovery
behavioral3 behavioral4