guloader | fa79537e463c6a9b8c2e1ad111194e97045caa67e8c7d59cd0789582dc27691e

General

Target

PURCHASEORDERDLNGREF.4520007395_1.tbz2.rar
Size

847KB
Sample

250130-s8z8gaxnhm
MD5

1005d21545b5edc314394253cf25b1e6
SHA1

6b82a47d70c262d2fb23c55c5948f94d2165ac55
SHA256

fa79537e463c6a9b8c2e1ad111194e97045caa67e8c7d59cd0789582dc27691e
SHA512

ca2497307c97b9a60cde60006b13e3f24382c36d464f29c3fb782637b7b7aa641ef2b8fcdfe6b61c4f76e51cfe9dd62ab0d7dcc6714682e025d5d49241e9757f
SSDEEP

12288:Tvkxa7IVxPuanpcH9JBJ/Mduq0MvWs4q6gWCDvaesZKgGg6cnY+x8tyBMvzx:jrIVxPkjZlq0Mv74FLCzeKLgy+StLd

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.copinsa.com
Port:
587
Username:
[email protected]
Password:
fF@P??Jw(Nkz
Email To:
[email protected]

Targets

- Target
  
  PURCHASE ORDER DLNG REF. 4520007395.exe
- Size
  
  1.2MB
- MD5
  
  02c65afc817f61d1d182e170a44d4843
- SHA1
  
  01ae56d0d7be193e9645a18e466038ae186bf944
- SHA256
  
  98d06e4d2c0ca3e9d257f28269a4a1040c1fa51ddbb6214e8d2b6eed2ab8aadf
- SHA512
  
  d0d49fe7a5a896e980d9558b0c170756a1e64a8e0ed903961bb1e6da5540a0b3dd21310e5e7360fb31a66b4662d10685a8f5e6dc7116e267f64d0f431047a066
- SSDEEP
  
  24576:03bKxS8debw/ZG0eaFsGzjeN/9JmLu+dzUdj+F/:03GQZbwi4fY/9Uaoqq/
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  564bb0373067e1785cba7e4c24aab4bf
- SHA1
  
  7c9416a01d821b10b2eef97b80899d24014d6fc1
- SHA256
  
  7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
- SHA512
  
  22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
- SSDEEP
  
  192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score

3^/10

discovery
behavioral3 behavioral4