guloader | 0349e40ccc3ffad405bf09c148b1a8e682823938385edc10253db66ad9bc2d90

General

Target

Fatura Doc_Nr._4000200_43169-_.pdf.exe
Size

655KB
Sample

250203-hdkt7atkdx
MD5

11efce99af9dfb15ce0b4e53cbfc76be
SHA1

d02de892de917e65ab54e7daa2da7c1b463f975f
SHA256

0349e40ccc3ffad405bf09c148b1a8e682823938385edc10253db66ad9bc2d90
SHA512

1fa2f58d84522ba1bb651f7733acd18961aab997748343f721ddf8826a6ecca598376e3db9a462a37ae23730334555ed89a3fb3ef309acbd20b068576ebb29bd
SSDEEP

12288:Cgum6gVzkp6YvYT6TiMvmzZT6hSfe7UTuJdAwKne4O8B:BVoc0YoGMSm7U6Jd3sO8

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.etimaad.com
Port:
587
Username:
[email protected]
Password:
!.a&qR_e50hP
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.etimaad.com
Port:
587
Username:
[email protected]
Password:
!.a&qR_e50hP

Targets

- Target
  
  Fatura Doc_Nr._4000200_43169-_.pdf.exe
- Size
  
  655KB
- MD5
  
  11efce99af9dfb15ce0b4e53cbfc76be
- SHA1
  
  d02de892de917e65ab54e7daa2da7c1b463f975f
- SHA256
  
  0349e40ccc3ffad405bf09c148b1a8e682823938385edc10253db66ad9bc2d90
- SHA512
  
  1fa2f58d84522ba1bb651f7733acd18961aab997748343f721ddf8826a6ecca598376e3db9a462a37ae23730334555ed89a3fb3ef309acbd20b068576ebb29bd
- SSDEEP
  
  12288:Cgum6gVzkp6YvYT6TiMvmzZT6hSfe7UTuJdAwKne4O8B:BVoc0YoGMSm7U6Jd3sO8
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  0c44f21d4afc81cc99fac7cc35e4503a
- SHA1
  
  3d0d5c684df99a46510c0e2c0020163a9d11c08d
- SHA256
  
  8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10
- SHA512
  
  4e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923
- SSDEEP
  
  48:S46+/N3TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zPuPbOBtWZBV8jAWiAJCdv2CmpL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  a4dd044bcd94e9b3370ccf095b31f896
- SHA1
  
  17c78201323ab2095bc53184aa8267c9187d5173
- SHA256
  
  2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
- SHA512
  
  87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
- SSDEEP
  
  192:em24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlESl:m8QIl975eXqlWBrz7YLOlE
Score

3^/10

discovery
behavioral5 behavioral6