guloader | 1c9473869a12e773f5a3f6305b2bb5842081c74ce4497afd9cf2a6d4f062a186

General

Target

1c9473869a12e773f5a3f6305b2bb5842081c74ce4497afd9cf2a6d4f062a186.exe
Size

648KB
Sample

250204-ecfmaswjcp
MD5

4daa83a70dd7469b2ae3d32bcfce684a
SHA1

95eb8470384a3014b3e45127b7505d11a44904a8
SHA256

1c9473869a12e773f5a3f6305b2bb5842081c74ce4497afd9cf2a6d4f062a186
SHA512

6b4a04898691c4d59ba2cf9247e2ef3c05baf961321fa00515fe03d510cb7ad132e053aa0452b7e97c3beaaca782895c41dbec6608e0fde041aca543bf2aec92
SSDEEP

12288:Cgum6gVzk57vTlyfRB35036jUXW4e8MQ+PTRK5Tq3cmoBCvWMRdKBoP:BVo5vTlwnUX88MfP817BiKy

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.hekoratapizados.com
Port:
587
Username:
[email protected]
Password:
QHZ7fyc6unq9jhe-cwe
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.hekoratapizados.com
Port:
587
Username:
[email protected]
Password:
QHZ7fyc6unq9jhe-cwe

Targets

- Target
  
  1c9473869a12e773f5a3f6305b2bb5842081c74ce4497afd9cf2a6d4f062a186.exe
- Size
  
  648KB
- MD5
  
  4daa83a70dd7469b2ae3d32bcfce684a
- SHA1
  
  95eb8470384a3014b3e45127b7505d11a44904a8
- SHA256
  
  1c9473869a12e773f5a3f6305b2bb5842081c74ce4497afd9cf2a6d4f062a186
- SHA512
  
  6b4a04898691c4d59ba2cf9247e2ef3c05baf961321fa00515fe03d510cb7ad132e053aa0452b7e97c3beaaca782895c41dbec6608e0fde041aca543bf2aec92
- SSDEEP
  
  12288:Cgum6gVzk57vTlyfRB35036jUXW4e8MQ+PTRK5Tq3cmoBCvWMRdKBoP:BVo5vTlwnUX88MfP817BiKy
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  0c44f21d4afc81cc99fac7cc35e4503a
- SHA1
  
  3d0d5c684df99a46510c0e2c0020163a9d11c08d
- SHA256
  
  8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10
- SHA512
  
  4e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923
- SSDEEP
  
  48:S46+/N3TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zPuPbOBtWZBV8jAWiAJCdv2CmpL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  a4dd044bcd94e9b3370ccf095b31f896
- SHA1
  
  17c78201323ab2095bc53184aa8267c9187d5173
- SHA256
  
  2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
- SHA512
  
  87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
- SSDEEP
  
  192:em24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlESl:m8QIl975eXqlWBrz7YLOlE
Score

3^/10

discovery
behavioral5 behavioral6