guloader | 5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383

General

Target

5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383.exe
Size

536KB
Sample

241126-c2ys3awnfk
MD5

51000c141b602569cf44b0f8bec9ecb8
SHA1

d7b819dbc26b3e66c99d233c5c7fc86492e626dd
SHA256

5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383
SHA512

8b38516298e15002a228424f926552b9abc06fb7fb0da94d78a48fea4c0a861fc5bdbcdf9db733f9644a480b4099d237cd70531b8afa11879562d71dd7ee2283
SSDEEP

6144:9lgvTRHy2nGlwzQ7LA+CB+f6tb9PTPgN++6aCUYvIRN3JGrYJfXvk0OFP2lmBLoE:32EI+CnhxC+JaWSRlXMPL6TEHmd3ZhZ8

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.cipmach.com
Port:
587
Username:
[email protected]
Password:
mail@2019$
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.cipmach.com
Port:
587
Username:
[email protected]
Password:
mail@2019$

Targets

- Target
  
  5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383.exe
- Size
  
  536KB
- MD5
  
  51000c141b602569cf44b0f8bec9ecb8
- SHA1
  
  d7b819dbc26b3e66c99d233c5c7fc86492e626dd
- SHA256
  
  5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383
- SHA512
  
  8b38516298e15002a228424f926552b9abc06fb7fb0da94d78a48fea4c0a861fc5bdbcdf9db733f9644a480b4099d237cd70531b8afa11879562d71dd7ee2283
- SSDEEP
  
  6144:9lgvTRHy2nGlwzQ7LA+CB+f6tb9PTPgN++6aCUYvIRN3JGrYJfXvk0OFP2lmBLoE:32EI+CnhxC+JaWSRlXMPL6TEHmd3ZhZ8
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10

discovery
behavioral3 behavioral4