guloader | d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c

General

Target

SecuriteInfo.com.FileRepMalware.24375.4894.exe
Size

1.0MB
Sample

250210-lrvhbsyjf1
MD5

7cb641309b4799eb80d2e7b1d1bb270f
SHA1

4f3f3727b0a2834237e0f6746909b6e4dc2aaa28
SHA256

d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c
SHA512

5c0abf7f4ce789bfb910f207eabeaf121a98c6e6808c2da3498a676dd53c1f1f7780e1ba10bcd54c39dc0c73f88c1120b96b9fe5919252a17c1e0462cf063cc0
SSDEEP

24576:NtLjGGJ053ut4zYZZpFHSLdWcWLT5gUNbSx312z1mbfa20:NtL1J04ZXH21Mg2w3ymbfl0

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.leedelectronics.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Targets

- Target
  
  SecuriteInfo.com.FileRepMalware.24375.4894.exe
- Size
  
  1.0MB
- MD5
  
  7cb641309b4799eb80d2e7b1d1bb270f
- SHA1
  
  4f3f3727b0a2834237e0f6746909b6e4dc2aaa28
- SHA256
  
  d8ae6d2c9bedff86ae0d95cb82f4fcbf04e83ec295e83a0f137afe433f57259c
- SHA512
  
  5c0abf7f4ce789bfb910f207eabeaf121a98c6e6808c2da3498a676dd53c1f1f7780e1ba10bcd54c39dc0c73f88c1120b96b9fe5919252a17c1e0462cf063cc0
- SSDEEP
  
  24576:NtLjGGJ053ut4zYZZpFHSLdWcWLT5gUNbSx312z1mbfa20:NtL1J04ZXH21Mg2w3ymbfl0
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  7399323923e3946fe9140132ac388132
- SHA1
  
  728257d06c452449b1241769b459f091aabcffc5
- SHA256
  
  5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
- SHA512
  
  d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1
- SSDEEP
  
  192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4