guloader | 702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62

General

Target

702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62
Size

742KB
Sample

250214-h78hcawrcn
MD5

20a7c8112e5876adb90550f2fe0c78de
SHA1

1671082a2bf6cb091364ac4c8520c20aefc7cb8a
SHA256

702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62
SHA512

1fe26d1e00a156d7c73acc7cdc62c9f5e7a822099d70ce8f0fc7155a5d2215ba353aac1caff9de3b823e45e0ecac879ede1c7a36ceea9b0e6d5f5d3b52f3019a
SSDEEP

12288:EnPdlO7MQiTrKAEYNKoFfwtJr1zLlKsc6NdELyMdj2XHyQs2NMh4vp4zaS7+:UPdliMQsDR8o5C7zLrPELZ23yQRN1Gb7

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8118244750:AAHW9qN4qIFfpwTeDTPtn27qicq6nUcMbog/sendMessage?chat_id=1767942457

Targets

- Target
  
  702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62
- Size
  
  742KB
- MD5
  
  20a7c8112e5876adb90550f2fe0c78de
- SHA1
  
  1671082a2bf6cb091364ac4c8520c20aefc7cb8a
- SHA256
  
  702ceddaa83348514f637a06c19a476999b3a391a7de4fc49efe9fa368fcaa62
- SHA512
  
  1fe26d1e00a156d7c73acc7cdc62c9f5e7a822099d70ce8f0fc7155a5d2215ba353aac1caff9de3b823e45e0ecac879ede1c7a36ceea9b0e6d5f5d3b52f3019a
- SSDEEP
  
  12288:EnPdlO7MQiTrKAEYNKoFfwtJr1zLlKsc6NdELyMdj2XHyQs2NMh4vp4zaS7+:UPdliMQsDR8o5C7zLrPELZ23yQRN1Gb7
Score

10^/10

guloader discovery downloader vipkeylogger collection keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4