guloader | 727df276f28733a6ed86cfaeb18de7837563be2861148b9bed59e0103d1f0eb6

General

Target

29012025_1049_28012025_detalle_transferencia_28-01-2025_4844830.rar
Size

729KB
Sample

250129-mwwfvswkft
MD5

cb5fddbcc119c0cfbafc9cf518125377
SHA1

e0a321a763a3bac36b4c017e62696152e6b0a7e6
SHA256

727df276f28733a6ed86cfaeb18de7837563be2861148b9bed59e0103d1f0eb6
SHA512

e2c80c32e6db1e9f0e7c6b51d361019a04478a4c1e416d60dd2871ef55ddef3a14eccefbcb1760e9ad506273990ad5022c579f7cc70dca10ce9a4cacc21b4ae5
SSDEEP

12288:2EFfS370DgNIxGiL/w0JwMyDQsmzcw1Usy722dyW5LogzqcTTCpjici5X:f9S37WKIxt/wDBDQsScwry72shjzqcTh

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
webmail.segurcisa.com
Port:
587
Username:
[email protected]
Password:
Segurpas$,12z
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
webmail.segurcisa.com
Port:
587
Username:
[email protected]
Password:
Segurpas$,12z

Targets

- Target
  
  detalle_transferencia_28-01-2025_4844830.exe
- Size
  
  811KB
- MD5
  
  71dfa22f384cc9fd4a1dc0cc767208a3
- SHA1
  
  3ae8bf9561fa09829d1c7f77ac17ff005cb8f8b6
- SHA256
  
  c1713a4d1fea88be492ec6fbdc9b1e793d5d7972f0f538b71a0da0c318ada360
- SHA512
  
  85b5f965c3170456e13d3b1bd3418bad6384383fa71ad074cc34f5827ed6954d21f69635133fa277fa3022c0f46138edbaf49348acecd1b7c7be3082682f5682
- SSDEEP
  
  12288:CGuLXqLB7gdFrs981KuAwrgzQcHH0pqkwgVvpJBiniH:CGuDqLiFQ99wrggvDXfCiH
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  192639861e3dc2dc5c08bb8f8c7260d5
- SHA1
  
  58d30e460609e22fa0098bc27d928b689ef9af78
- SHA256
  
  23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
- SHA512
  
  6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
- SSDEEP
  
  192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
Score

3^/10

discovery
behavioral3 behavioral4