guloader | dfb9d2234149f933add8bb7682094fa32430f41f34061b077776cecaa0a7ce16

General

Target

dfb9d2234149f933add8bb7682094fa32430f41f34061b077776cecaa0a7ce16.exe
Size

575KB
Sample

250201-eb8lpasjb1
MD5

09f7f6f3e306a2909543d9ac199c7c0a
SHA1

3cbef0b139ee88916c063c2375b9ae4150ff4a4a
SHA256

dfb9d2234149f933add8bb7682094fa32430f41f34061b077776cecaa0a7ce16
SHA512

98d0becf921388a270d62361f772a493f83aaa9c839bfa80584ffd9307969b05147b1d309f4bd51dd86aaedafb1407e7c392ce6f8d3be53e9e5ece7064eac1de
SSDEEP

12288:Gk2YLS3JInQZNEjCxOV4AAm3R3W6TRVZdMN:TLKInQriCxOV4ARR1ZdM

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7581561605:AAGI-5iG4DeXqVhNDvhaICvGbOejumUD6AE/sendMessage?chat_id=5434550993

Targets

- Target
  
  dfb9d2234149f933add8bb7682094fa32430f41f34061b077776cecaa0a7ce16.exe
- Size
  
  575KB
- MD5
  
  09f7f6f3e306a2909543d9ac199c7c0a
- SHA1
  
  3cbef0b139ee88916c063c2375b9ae4150ff4a4a
- SHA256
  
  dfb9d2234149f933add8bb7682094fa32430f41f34061b077776cecaa0a7ce16
- SHA512
  
  98d0becf921388a270d62361f772a493f83aaa9c839bfa80584ffd9307969b05147b1d309f4bd51dd86aaedafb1407e7c392ce6f8d3be53e9e5ece7064eac1de
- SSDEEP
  
  12288:Gk2YLS3JInQZNEjCxOV4AAm3R3W6TRVZdMN:TLKInQriCxOV4ARR1ZdM
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  f1e9eed02db3a822a7ddef0c724e5f1f
- SHA1
  
  65864992f5b6c79c5efbefb5b1354648a8a86709
- SHA256
  
  6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df
- SHA512
  
  c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c
- SSDEEP
  
  48:S46+/fTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mjsofjLl:zRuPbOBtWZBV8jAWiAJCdv2Cmj/L
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  17ed1c86bd67e78ade4712be48a7d2bd
- SHA1
  
  1cc9fe86d6d6030b4dae45ecddce5907991c01a0
- SHA256
  
  bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
- SHA512
  
  0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
- SSDEEP
  
  192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Score

3^/10

discovery
behavioral5 behavioral6