guloader | ca4be12cbc3ba7f42fa559b4582a1bcfeeedd4d45734fe36e965943dcf4005eb | Triage

Sharing

General

Target

ca4be12cbc3ba7f42fa559b4582a1bcfeeedd4d45734fe36e965943dcf4005eb
Size

763KB
Sample

250206-cyh87szlgy
MD5

1523f8467170ad0fabff018beefe6ce8
SHA1

dedec5d05719080730c2a991ad6240197d41e63e
SHA256

ca4be12cbc3ba7f42fa559b4582a1bcfeeedd4d45734fe36e965943dcf4005eb
SHA512

ec71093b39d862f0510dcb563b273a5fac90697185a83851ecfb38ee89cd5620ec8ca26c0eb924f00cb954c368278da9d938da32827305560cb3880c501c926a
SSDEEP

12288:kepmMUd9RfK/rYs0xa9/TzcKlF1E4e31Q7mYC3QiXxTnpMDLX67vpdKzpFjvTzgW:Qtd9Y/rYsya97QEu4W1qCgAxTKK7vpQ7

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.copinsa.com
Port:
587
Username:
[email protected]
Password:
KNjBn1oE&(tD
Email To:
[email protected]

Targets

- Target
  
  PURCHASE ORDER_0001_0002.exe
- Size
  
  928KB
- MD5
  
  9bd31b17f6d38b3740c43beaa4d0fcba
- SHA1
  
  08f28ee8e0d16ec35b345043baa57812af29d945
- SHA256
  
  043a7576cff77abd0b8beb40fef1b227f4099cd7ab2a6db4fd1817e71672fb3d
- SHA512
  
  0c4463d67f889b47806eb820196471a5b015085f5ebfd45a803c176ddb6fdc747cf10c27114071e77a1c7fe460a2e04e2210771bfb9862a8d24b43c4576d46e5
- SSDEEP
  
  24576:n0f6OxrYsca9LcyI4WFuC6AdXhKJvbiDLTmAYu+oA0Ar2:0CftMLm4W08LKpkMJ9
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  960a5c48e25cf2bca332e74e11d825c9
- SHA1
  
  da35c6816ace5daf4c6c1d57b93b09a82ecdc876
- SHA256
  
  484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
- SHA512
  
  cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da
- SSDEEP
  
  192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

behavioral2

guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

behavioral3

behavioral4