guloader | f6ad2374fe19582a54ac0b9972ec41223f4291af9e49834fbd240629b9c74e62

General

Target

FA25000003_PDF.exe
Size

556KB
Sample

250129-khlndszrhp
MD5

6ca301ca8387dce5fd21f318ebba05c6
SHA1

42721db007b2a33119e951aa29749af25bc4cf01
SHA256

f6ad2374fe19582a54ac0b9972ec41223f4291af9e49834fbd240629b9c74e62
SHA512

37eb46fc6493dc3ee783a9fbfba56356f3a088dca8c53ba4d7f7aa3dd2f56c2f8ab5567bce3118f0611a7923e4cda12174f407b3262c1f4f41f07835fcc1f618
SSDEEP

12288:Ak2r86ZoU8clmyN7oOX4V44I5pqAm3R3W6TRVZdMN6:m86SU8clmyNI44InqRR1ZdM0

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7581561605:AAGI-5iG4DeXqVhNDvhaICvGbOejumUD6AE/sendMessage?chat_id=5434550993

Targets

- Target
  
  FA25000003_PDF.exe
- Size
  
  556KB
- MD5
  
  6ca301ca8387dce5fd21f318ebba05c6
- SHA1
  
  42721db007b2a33119e951aa29749af25bc4cf01
- SHA256
  
  f6ad2374fe19582a54ac0b9972ec41223f4291af9e49834fbd240629b9c74e62
- SHA512
  
  37eb46fc6493dc3ee783a9fbfba56356f3a088dca8c53ba4d7f7aa3dd2f56c2f8ab5567bce3118f0611a7923e4cda12174f407b3262c1f4f41f07835fcc1f618
- SSDEEP
  
  12288:Ak2r86ZoU8clmyN7oOX4V44I5pqAm3R3W6TRVZdMN6:m86SU8clmyNI44InqRR1ZdM0
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  f1e9eed02db3a822a7ddef0c724e5f1f
- SHA1
  
  65864992f5b6c79c5efbefb5b1354648a8a86709
- SHA256
  
  6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df
- SHA512
  
  c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c
- SSDEEP
  
  48:S46+/fTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mjsofjLl:zRuPbOBtWZBV8jAWiAJCdv2Cmj/L
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  17ed1c86bd67e78ade4712be48a7d2bd
- SHA1
  
  1cc9fe86d6d6030b4dae45ecddce5907991c01a0
- SHA256
  
  bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
- SHA512
  
  0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
- SSDEEP
  
  192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Score

3^/10

discovery
behavioral5 behavioral6