guloader | 616bfb78e139a9149abd2b16353af1c566eaae58e0366d9536cfca1f3cf9587f

General

Target

616bfb78e139a9149abd2b16353af1c566eaae58e0366d9536cfca1f3cf9587f.exe
Size

1.1MB
Sample

250218-c48faawle1
MD5

85a952db819fdb0faf89469707175466
SHA1

4d08431c60f0cd0e79048a3e5f8a4d50a5d89b66
SHA256

616bfb78e139a9149abd2b16353af1c566eaae58e0366d9536cfca1f3cf9587f
SHA512

7b289fdb46d3ee0dddcfe1e7bedfc4ac6b0a3749ac028e4d0e4e91cd94e3598f57eeaf3497022f5935b1e0e12bafb27d27848793eb9e2ffdf00fa68cef41d668
SSDEEP

24576:qfwUrb8d7cUUe1+bpIuKTRlfKcP7Ixz9h4qNBSeIh9HD0J9Caq0lUK+fuTdTd:jCb8l51+FKInzwF1jLaq1ad

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7593476266:AAE6M295mE9PbPkQ7CR5WSujMoIZWK3jwKo/sendMessage?chat_id=6104927734

Targets

- Target
  
  616bfb78e139a9149abd2b16353af1c566eaae58e0366d9536cfca1f3cf9587f.exe
- Size
  
  1.1MB
- MD5
  
  85a952db819fdb0faf89469707175466
- SHA1
  
  4d08431c60f0cd0e79048a3e5f8a4d50a5d89b66
- SHA256
  
  616bfb78e139a9149abd2b16353af1c566eaae58e0366d9536cfca1f3cf9587f
- SHA512
  
  7b289fdb46d3ee0dddcfe1e7bedfc4ac6b0a3749ac028e4d0e4e91cd94e3598f57eeaf3497022f5935b1e0e12bafb27d27848793eb9e2ffdf00fa68cef41d668
- SSDEEP
  
  24576:qfwUrb8d7cUUe1+bpIuKTRlfKcP7Ixz9h4qNBSeIh9HD0J9Caq0lUK+fuTdTd:jCb8l51+FKInzwF1jLaq1ad
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
  
  d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
  
  a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
- SHA512
  
  2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
- SSDEEP
  
  192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score

3^/10

discovery
behavioral3 behavioral4