guloader | 3d48749c9933892087a4776b6bc0f7c25d156cb4ef0b0ff2af28e6cdca1df8d6

General

Target

SecuriteInfo.com.Win32.Trojan-Downloader.GuLoader.QAKJ8V.27372.733.exe
Size

653KB
Sample

250217-yaq5sssmdv
MD5

de14a721ceada1b17548a62bda2371d9
SHA1

79109c2d9deb5defb4a32d1b3583d2a7cbb0616e
SHA256

3d48749c9933892087a4776b6bc0f7c25d156cb4ef0b0ff2af28e6cdca1df8d6
SHA512

2d540da82b09dccb4e158ee71c5cb2f6e4c11ad3ddb1ad39189a89a90fcdba5e4c216b7db435a3a03a9e071f7f70c6cc43094a68b590de9592e65f90afebad98
SSDEEP

12288:1LITtpB6pNEzr9vjPGIJe6B5sAwGT1OufYHzytb0OmL2H8tEB2Lyp:1LAtpB6/UBPem/wGTYugHzZOmq8KALA

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.kuattrode.hn
Port:
587
Username:
[email protected]
Password:
qzN$t-TB#R
Email To:
[email protected]

Targets

- Target
  
  SecuriteInfo.com.Win32.Trojan-Downloader.GuLoader.QAKJ8V.27372.733.exe
- Size
  
  653KB
- MD5
  
  de14a721ceada1b17548a62bda2371d9
- SHA1
  
  79109c2d9deb5defb4a32d1b3583d2a7cbb0616e
- SHA256
  
  3d48749c9933892087a4776b6bc0f7c25d156cb4ef0b0ff2af28e6cdca1df8d6
- SHA512
  
  2d540da82b09dccb4e158ee71c5cb2f6e4c11ad3ddb1ad39189a89a90fcdba5e4c216b7db435a3a03a9e071f7f70c6cc43094a68b590de9592e65f90afebad98
- SSDEEP
  
  12288:1LITtpB6pNEzr9vjPGIJe6B5sAwGT1OufYHzytb0OmL2H8tEB2Lyp:1LAtpB6/UBPem/wGTYugHzZOmq8KALA
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  b8992e497d57001ddf100f9c397fcef5
- SHA1
  
  e26ddf101a2ec5027975d2909306457c6f61cfbd
- SHA256
  
  98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
- SHA512
  
  8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c
- SSDEEP
  
  192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn
Score

3^/10

discovery
behavioral3 behavioral4