guloader | 2fd1cc1868352ae40f4a9571453e942d8fdf89547bbf6d3c7c9e235310f0ae12

General

Target

factura_0011075553pdf.exe
Size

758KB
Sample

250206-m88xqavmgn
MD5

15f25645fa9bcbc88149319aca2e4702
SHA1

ee58e750221ec072f3c53a894ad7368ef8d62f66
SHA256

2fd1cc1868352ae40f4a9571453e942d8fdf89547bbf6d3c7c9e235310f0ae12
SHA512

74629b71dbd1e83d0bdf6fc27a009a995a0da6d4e56d3108d5a9dc27fd99522a45e01032f5a16de29404717ffa5e91699ec6bc2b58a8eede5199752998c719f4
SSDEEP

12288:9CT6Nmz7awjJEIq9jWrFfF5f/wkos0uVPJbiDBfR5j5TzIBCZYu+fQCZ0CZr2:9C6Nmz2Ub6CrRFp/wkos0CJbiDLTmAY6

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.paraisoayacucho.com
Port:
587
Username:
[email protected]
Password:
Admin2928@@
Email To:
[email protected]

C2

https://api.telegram.org/bot7593476266:AAE6M295mE9PbPkQ7CR5WSujMoIZWK3jwKo/sendMessage?chat_id=6104927734

Targets

- Target
  
  factura_0011075553pdf.exe
- Size
  
  758KB
- MD5
  
  15f25645fa9bcbc88149319aca2e4702
- SHA1
  
  ee58e750221ec072f3c53a894ad7368ef8d62f66
- SHA256
  
  2fd1cc1868352ae40f4a9571453e942d8fdf89547bbf6d3c7c9e235310f0ae12
- SHA512
  
  74629b71dbd1e83d0bdf6fc27a009a995a0da6d4e56d3108d5a9dc27fd99522a45e01032f5a16de29404717ffa5e91699ec6bc2b58a8eede5199752998c719f4
- SSDEEP
  
  12288:9CT6Nmz7awjJEIq9jWrFfF5f/wkos0uVPJbiDBfR5j5TzIBCZYu+fQCZ0CZr2:9C6Nmz2Ub6CrRFp/wkos0CJbiDLTmAY6
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  960a5c48e25cf2bca332e74e11d825c9
- SHA1
  
  da35c6816ace5daf4c6c1d57b93b09a82ecdc876
- SHA256
  
  484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
- SHA512
  
  cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da
- SSDEEP
  
  192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
Score

3^/10

discovery
behavioral3 behavioral4