guloader | 7b676bf78d187d4d11cd10db0b8a31b908ee4d2a63556442da865d1c5aae2f22

General

Target

7b676bf78d187d4d11cd10db0b8a31b908ee4d2a63556442da865d1c5aae2f22.exe
Size

1.4MB
Sample

250215-dxp6sstmdm
MD5

95ccf2bcd18e87a3386e71a5d09e75fe
SHA1

79bbd13b8222d5a548a8b3539dcec954daf5d14f
SHA256

7b676bf78d187d4d11cd10db0b8a31b908ee4d2a63556442da865d1c5aae2f22
SHA512

88c5f95595d09a20752ff7f5aed8ab40be8dad92247ba5dd67e10c1b807a2e51c5d33bb408fa8ff6538f7a6fed4557dfee8e26a9d98411b5085dc902505b2ffe
SSDEEP

24576:rtCtMYqSjjyxp8TehWCT2ldnvBw9mnAsrGMht2jLJ9Ks1y0dpvPccfZrpqXAYkJ2:rtCtJBKm7CKTvCZyGMht83Ks00LffeA8

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.copinsa.com
Port:
587
Username:
[email protected]
Password:
CmA9.v9,O!~I
Email To:
[email protected]

Targets

- Target
  
  7b676bf78d187d4d11cd10db0b8a31b908ee4d2a63556442da865d1c5aae2f22.exe
- Size
  
  1.4MB
- MD5
  
  95ccf2bcd18e87a3386e71a5d09e75fe
- SHA1
  
  79bbd13b8222d5a548a8b3539dcec954daf5d14f
- SHA256
  
  7b676bf78d187d4d11cd10db0b8a31b908ee4d2a63556442da865d1c5aae2f22
- SHA512
  
  88c5f95595d09a20752ff7f5aed8ab40be8dad92247ba5dd67e10c1b807a2e51c5d33bb408fa8ff6538f7a6fed4557dfee8e26a9d98411b5085dc902505b2ffe
- SSDEEP
  
  24576:rtCtMYqSjjyxp8TehWCT2ldnvBw9mnAsrGMht2jLJ9Ks1y0dpvPccfZrpqXAYkJ2:rtCtJBKm7CKTvCZyGMht83Ks00LffeA8
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
  
  d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
  
  a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
- SHA512
  
  2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
- SSDEEP
  
  192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4