guloader | 47563ed1c4b110ad50d36c9a6a96895b09eb268bad491be453c9d61fee65e179

General

Target

47563ed1c4b110ad50d36c9a6a96895b09eb268bad491be453c9d61fee65e179.exe
Size

745KB
Sample

250215-dq343stlgk
MD5

e7ba226dadc29e89e6b5d766e09ec7aa
SHA1

86631dec86de9504f9805ce79c06986c7ea112b6
SHA256

47563ed1c4b110ad50d36c9a6a96895b09eb268bad491be453c9d61fee65e179
SHA512

f7e7dada4f0d1984a9d0da368cc4b0937a06e92ac7dd03f9668e3e0cf933a09b894551e68481b2d50cad5c7b38158703386d311d92eb7c0ab41851bfcb485931
SSDEEP

12288:oF9MdJNizNPjkJy38SeD83S1VQJ1VdEnxnE8UML789zUO9vVOI0emBmb:AMZy5L3lRsAfd4xnlGUOdb0emBmb

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7489750239:AAEw2JkxSc8H_ozt5TooV_cG6lyHNDmFJi8/sendMessage?chat_id=7050097659

Targets

- Target
  
  47563ed1c4b110ad50d36c9a6a96895b09eb268bad491be453c9d61fee65e179.exe
- Size
  
  745KB
- MD5
  
  e7ba226dadc29e89e6b5d766e09ec7aa
- SHA1
  
  86631dec86de9504f9805ce79c06986c7ea112b6
- SHA256
  
  47563ed1c4b110ad50d36c9a6a96895b09eb268bad491be453c9d61fee65e179
- SHA512
  
  f7e7dada4f0d1984a9d0da368cc4b0937a06e92ac7dd03f9668e3e0cf933a09b894551e68481b2d50cad5c7b38158703386d311d92eb7c0ab41851bfcb485931
- SSDEEP
  
  12288:oF9MdJNizNPjkJy38SeD83S1VQJ1VdEnxnE8UML789zUO9vVOI0emBmb:AMZy5L3lRsAfd4xnlGUOdb0emBmb
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  cf85183b87314359488b850f9e97a698
- SHA1
  
  6b6c790037eec7ebea4d05590359cb4473f19aea
- SHA256
  
  3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
- SHA512
  
  fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b
- SSDEEP
  
  96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4