guloader | 738b4545d501e7f240c2f1e3cf98218f703b4ee08d529c87aca5b8270aac4643

General

Target

Justificante67ab404ffe31b359e00a499e656454545.exe
Size

1.1MB
Sample

250214-xpybzsxjbl
MD5

b1311507ccad8738e432250721633828
SHA1

0a8c23e3f5f4e0c9517c5c44dd42ff4f5741f8c5
SHA256

738b4545d501e7f240c2f1e3cf98218f703b4ee08d529c87aca5b8270aac4643
SHA512

3c128b5f255b5c93bef13eb32bd3c62b251dfa6f7ef74110759d761c67ee7f7fecf6429041cb0f2f805376caca06e011fc08097f98af8d3bf7d2ee66d7f20652
SSDEEP

12288:U0BdXJiHwr4fol0C2eXl72e5qtwj5yXMFZCi/ukqwfpMvKxdACg7/zqKkawzfg0o:VV8ol4yg8DCwbfqiPACOedfHYNXNHA6

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0/sendMessage?chat_id=7618581100

Targets

- Target
  
  Justificante67ab404ffe31b359e00a499e656454545.exe
- Size
  
  1.1MB
- MD5
  
  b1311507ccad8738e432250721633828
- SHA1
  
  0a8c23e3f5f4e0c9517c5c44dd42ff4f5741f8c5
- SHA256
  
  738b4545d501e7f240c2f1e3cf98218f703b4ee08d529c87aca5b8270aac4643
- SHA512
  
  3c128b5f255b5c93bef13eb32bd3c62b251dfa6f7ef74110759d761c67ee7f7fecf6429041cb0f2f805376caca06e011fc08097f98af8d3bf7d2ee66d7f20652
- SSDEEP
  
  12288:U0BdXJiHwr4fol0C2eXl72e5qtwj5yXMFZCi/ukqwfpMvKxdACg7/zqKkawzfg0o:VV8ol4yg8DCwbfqiPACOedfHYNXNHA6
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  34442e1e0c2870341df55e1b7b3cccdc
- SHA1
  
  99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
- SHA256
  
  269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
- SHA512
  
  4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
- SSDEEP
  
  192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4