guloader | dde1528c732c07d5f7153dc871342bd4657836a7ccfe185e15af90c87dbf95a7

General

Target

SecuriteInfo.com.FileRepMalware.23885.29286.exe
Size

1019KB
Sample

250210-nv9sjazrgs
MD5

48b03eaf0daf01e7e607c9ef2d4605e6
SHA1

197c883e8f662c4f432f9b433cab6fbae45cb7cc
SHA256

dde1528c732c07d5f7153dc871342bd4657836a7ccfe185e15af90c87dbf95a7
SHA512

db4900abfad46fae0518ac34d38a16eb74033d4262a0f46da05106ab46811a9a9b23078cc32278b3dad4d521dc68d6e29b0ad8a577968f47b6fc1393c39caf0f
SSDEEP

24576:NtLj+hI8nM8/LitBKEvjqVdYpD0rDpCKOIRNFlBsaKo:NtLihpnV/LSqVdI0rNbNF7sxo

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.muriana.com
Port:
587
Username:
[email protected]
Password:
Provisional123***
Email To:
[email protected]

Targets

- Target
  
  SecuriteInfo.com.FileRepMalware.23885.29286.exe
- Size
  
  1019KB
- MD5
  
  48b03eaf0daf01e7e607c9ef2d4605e6
- SHA1
  
  197c883e8f662c4f432f9b433cab6fbae45cb7cc
- SHA256
  
  dde1528c732c07d5f7153dc871342bd4657836a7ccfe185e15af90c87dbf95a7
- SHA512
  
  db4900abfad46fae0518ac34d38a16eb74033d4262a0f46da05106ab46811a9a9b23078cc32278b3dad4d521dc68d6e29b0ad8a577968f47b6fc1393c39caf0f
- SSDEEP
  
  24576:NtLj+hI8nM8/LitBKEvjqVdYpD0rDpCKOIRNFlBsaKo:NtLihpnV/LSqVdI0rNbNF7sxo
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  7399323923e3946fe9140132ac388132
- SHA1
  
  728257d06c452449b1241769b459f091aabcffc5
- SHA256
  
  5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
- SHA512
  
  d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1
- SSDEEP
  
  192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4