guloader | 32e7fc96512773d7172f32677eac9edf3efbda2dc17763b069cd390917c7b581

General

Target

32e7fc96512773d7172f32677eac9edf3efbda2dc17763b069cd390917c7b581
Size

734KB
Sample

250212-1g59eaymck
MD5

d6a7a904710b9e5378cb7949fca50ebd
SHA1

426e11a0080f84d3e8fbcd432b60e775ab0a3b46
SHA256

32e7fc96512773d7172f32677eac9edf3efbda2dc17763b069cd390917c7b581
SHA512

a8efa040f49f73d22ab1f575d6232ce6b65e2d351e23a093dbc556ba39a438b1e4f341300628032fd42456aecbb714eec06207d86d9c0d317aea75d8f361a7ed
SSDEEP

12288:GnPdlR+52PR4VHhTW88qImre/WDveGJKWVHkjzQYTfglVs5Kf:6PdlRY25YBTW88qINurePwEXBMVso

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendMessage?chat_id=7171338311

Targets

- Target
  
  32e7fc96512773d7172f32677eac9edf3efbda2dc17763b069cd390917c7b581
- Size
  
  734KB
- MD5
  
  d6a7a904710b9e5378cb7949fca50ebd
- SHA1
  
  426e11a0080f84d3e8fbcd432b60e775ab0a3b46
- SHA256
  
  32e7fc96512773d7172f32677eac9edf3efbda2dc17763b069cd390917c7b581
- SHA512
  
  a8efa040f49f73d22ab1f575d6232ce6b65e2d351e23a093dbc556ba39a438b1e4f341300628032fd42456aecbb714eec06207d86d9c0d317aea75d8f361a7ed
- SSDEEP
  
  12288:GnPdlR+52PR4VHhTW88qImre/WDveGJKWVHkjzQYTfglVs5Kf:6PdlRY25YBTW88qINurePwEXBMVso
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4