guloader | a29d58240752e42c0e692a6b6b08e8cf2abb9626b4a83d6ddc4ceed51f4ff667 | Triage

Sharing

General

Target

a29d58240752e42c0e692a6b6b08e8cf2abb9626b4a83d6ddc4ceed51f4ff667.exe
Size

726KB
Sample

250206-hvpvgayqep
MD5

e353e90a21ca20f3e7bdc640db4bef64
SHA1

4b953174a91cae3617b8f8bfea1056310951d254
SHA256

a29d58240752e42c0e692a6b6b08e8cf2abb9626b4a83d6ddc4ceed51f4ff667
SHA512

d4d6b104b59b4786a43a4dd1060143ec4bf1f1ea11f8918073555fedb82c27e5428c823d4deda84d08be7a0d77e53898204b182ea4c195dae921457decea5bae
SSDEEP

12288:dT58++c2/p0FdmxxSKAHNaPH+r3cFaql2DiNpHUy6iqezkmRkFD0ygchhZMfob:dT58+86wxx5dfG3cFnN5UB9vmRkFDZhn

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.royalwaweltours.com
Port:
587
Username:
[email protected]
Password:
COLL-ARA0324
Email To:
[email protected]

Targets

- Target
  
  a29d58240752e42c0e692a6b6b08e8cf2abb9626b4a83d6ddc4ceed51f4ff667.exe
- Size
  
  726KB
- MD5
  
  e353e90a21ca20f3e7bdc640db4bef64
- SHA1
  
  4b953174a91cae3617b8f8bfea1056310951d254
- SHA256
  
  a29d58240752e42c0e692a6b6b08e8cf2abb9626b4a83d6ddc4ceed51f4ff667
- SHA512
  
  d4d6b104b59b4786a43a4dd1060143ec4bf1f1ea11f8918073555fedb82c27e5428c823d4deda84d08be7a0d77e53898204b182ea4c195dae921457decea5bae
- SSDEEP
  
  12288:dT58++c2/p0FdmxxSKAHNaPH+r3cFaql2DiNpHUy6iqezkmRkFD0ygchhZMfob:dT58+86wxx5dfG3cFnN5UB9vmRkFDZhn
Score

10^/10

discovery guloader vipkeylogger downloader keylogger stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  d968cb2b98b83c03a9f02dd9b8df97dc
- SHA1
  
  d784c9b7a92dce58a5038beb62a48ff509e166a0
- SHA256
  
  a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
- SHA512
  
  2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e
- SSDEEP
  
  192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

behavioral3

behavioral4