guloader | 776dd51dfd7309546e1ebb643140f9836d5d54a82e5cd0df4f8fe1b88faaa182

General

Target

776dd51dfd7309546e1ebb643140f9836d5d54a82e5cd0df4f8fe1b88faaa182.exe
Size

926KB
Sample

250207-fpq48s1ngk
MD5

780fdda9383f9e0159b1c51da46aff23
SHA1

0cf4c30af95e0edb2112bf79bf5397bba5adc36b
SHA256

776dd51dfd7309546e1ebb643140f9836d5d54a82e5cd0df4f8fe1b88faaa182
SHA512

b8d636f3c342d88e7e638f4eb304013eca263908b60772b873c4d65b05d3345ddfcc682125d2816b5275fc058fb4f1dba59b19aba7dcc6c244b3f03ecc2db203
SSDEEP

24576:60fAYe14RpqJLxiO5qyURKNCubiDLTmAYu+oA0Ar2:z4kRciy7IUkMJ9

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.kuattrode.hn
Port:
587
Username:
[email protected]
Password:
qzN$t-TB#R
Email To:
[email protected]

Targets

- Target
  
  776dd51dfd7309546e1ebb643140f9836d5d54a82e5cd0df4f8fe1b88faaa182.exe
- Size
  
  926KB
- MD5
  
  780fdda9383f9e0159b1c51da46aff23
- SHA1
  
  0cf4c30af95e0edb2112bf79bf5397bba5adc36b
- SHA256
  
  776dd51dfd7309546e1ebb643140f9836d5d54a82e5cd0df4f8fe1b88faaa182
- SHA512
  
  b8d636f3c342d88e7e638f4eb304013eca263908b60772b873c4d65b05d3345ddfcc682125d2816b5275fc058fb4f1dba59b19aba7dcc6c244b3f03ecc2db203
- SSDEEP
  
  24576:60fAYe14RpqJLxiO5qyURKNCubiDLTmAYu+oA0Ar2:z4kRciy7IUkMJ9
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  960a5c48e25cf2bca332e74e11d825c9
- SHA1
  
  da35c6816ace5daf4c6c1d57b93b09a82ecdc876
- SHA256
  
  484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
- SHA512
  
  cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da
- SSDEEP
  
  192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
Score

3^/10

discovery
behavioral3 behavioral4