Extracted

• • Target

    422015d422ded61ed45845d160782e5f9f2ec46ba787148f84cfed86214bf21e.exe

  • Size

    1.1MB

  • MD5

    a4c9d6c210887245f127812099c95379

  • SHA1

    67584fbdf8ed9583be192a8450260b7f3bbd1a1f

  • SHA256

    422015d422ded61ed45845d160782e5f9f2ec46ba787148f84cfed86214bf21e

  • SHA512

    1d394e59d202466e5d58ffd3d1f2507de539346a35dfd2cc910ca2769090f5bfcfd10ce408149370182814f09b6f430f410b0726bdcd7fdf79be57edad895248

  • SSDEEP

    24576:k3bKxkMa51TZ4RjYoGz8N/9JmLu+dzUdj+F/p:k3G2MaXTWYdq/9Uaoqq/p

  Score

  10^/10

  discoveryguloadervipkeyloggerdownloaderkeyloggerstealer

  • Guloader family

    guloader

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Downloads MZ/PE file

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/System.dll

  • Size

    12KB

  • MD5

    564bb0373067e1785cba7e4c24aab4bf

  • SHA1

    7c9416a01d821b10b2eef97b80899d24014d6fc1

  • SHA256

    7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

  • SHA512

    22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

  • SSDEEP

    192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

  Score

  8^/10

  discovery

  • Downloads MZ/PE file

  behavioral3behavioral4