guloader | 6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1

General

Target

6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
Size

714KB
Sample

250204-em7tjawmgj
MD5

5af40840e1595abd3d4a595ccd6aa0e4
SHA1

5bae45afeb45a891e060ac45dfa42cbe6a538de7
SHA256

6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1
SHA512

82c924472e0209f6f40638644d3521ce1f4291ff1e1295ac6d27a952054ad19671a5ad33835ef130ce26c5e2d4215bd192b5f7394b0bf3f887c3943b0f044545
SSDEEP

12288:v3qdpzxjUJAn4n/kliiXC4UhfrdIgw0dy69FVOXgIfPCDQjUAZZd8iM/4z:v3qdbyA4n/kliicfrdS0E69fOQIfqDQR

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot5362707045:AAGBjkYF97cvI4xaEhJ1OrouiqS3umCPqqA/sendMessage?chat_id=5340613581

Targets

- Target
  
  6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
- Size
  
  714KB
- MD5
  
  5af40840e1595abd3d4a595ccd6aa0e4
- SHA1
  
  5bae45afeb45a891e060ac45dfa42cbe6a538de7
- SHA256
  
  6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1
- SHA512
  
  82c924472e0209f6f40638644d3521ce1f4291ff1e1295ac6d27a952054ad19671a5ad33835ef130ce26c5e2d4215bd192b5f7394b0bf3f887c3943b0f044545
- SSDEEP
  
  12288:v3qdpzxjUJAn4n/kliiXC4UhfrdIgw0dy69FVOXgIfPCDQjUAZZd8iM/4z:v3qdbyA4n/kliicfrdS0E69fOQIfqDQR
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  6e55a6e7c3fdbd244042eb15cb1ec739
- SHA1
  
  070ea80e2192abc42f358d47b276990b5fa285a9
- SHA256
  
  acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
- SHA512
  
  2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
- SSDEEP
  
  192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
Score

3^/10

discovery
behavioral3 behavioral4