guloader | 262d6420018c8000d4f95686b9b6862737b7bd46ca94916c0c23d4ae603a8e5f

Sharing

Copy URL

Twitter E-mail

General

Target

Pago.rar
Size

649KB
Sample

250219-xw1exswrdx
MD5

acb3c83c34db1b5d300a9a00c65e757f
SHA1

a5e69df876fc79288ddf1eec674dcc2e250c713f
SHA256

262d6420018c8000d4f95686b9b6862737b7bd46ca94916c0c23d4ae603a8e5f
SHA512

56af5d0d1522d12e0bbdfb36e55d0c79138a0a632272a40c98e427b5a805ef4ff13e7097425777f2d47d9542e46a3458354ccda5e204f1320193456ddc64014b
SSDEEP

12288:RhYZQBSGaPmixXvShCt13Pc7JOglIXJjAC86hK1mFxeXSZk78RSb56U:jYZQQFZPHnhK1Mx4v7/l

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7888169387:AAFhsoUaeWK9XqbrEJl452LFnH_AAaGbsWI/sendMessage?chat_id=6838630391

Targets

- Target
  
  Skery.exe
- Size
  
  673KB
- MD5
  
  23c5b9f638e095f67c6e0c038431f24b
- SHA1
  
  6b3366c3ff8aa8576c520adb20f6fdea2393ed7f
- SHA256
  
  380487150b51a339c3d8c34526c0109d9b5a904aee3e41abc62c04a63ec18dfb
- SHA512
  
  0dea689116a01ac15e11420cdbfc01bf70b010fc175f726e873f2f32356d2521dbaf9369b193ca8439a98f29950e5a51e98598e03af5a8995a561b3523b74d15
- SSDEEP
  
  12288:Xa/AcZ6qJ2s1+pBOijz3U1PbGf+883INo89u/r2XdgjPEmADNA0EpphZNG2q:X4Z6SQB5/3U5SWN3INFu/9jsmY0q
Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10

discovery
behavioral2
- Target
  
  Cyberangreb/Acanthopterous29.bus
- Size
  
  204KB
- MD5
  
  566babc802e773a29bb44f167b8f0174
- SHA1
  
  999d16a5e7a9d26e846ad4c0e7eb3aa6e844cc2c
- SHA256
  
  d78c7bf755f26aa42c1f9a9be74d10c22eb81760b2b5ca664a56aa559b63c781
- SHA512
  
  0111fd8f094f3e025c92a71b4d289439574d21d881e14ecb34f3f5a3f60e84b58637e0b55f0aa4269b18b24e9fe046491f0ec474467d17739a79e3647ca4e137
- SSDEEP
  
  6144:A8KQEhQiWL6SvQ4huRk+tlJvpCaIzCX4CjTI:A8WQhlQ4huL7vX1oCjTI
Score

3^/10
behavioral3
- Target
  
  Cyberangreb/Aphthartodocetic.ini
- Size
  
  385B
- MD5
  
  90ec9feaab66462033fbb70fb9a3ee4b
- SHA1
  
  7aef435efc9c6007010315d6a7278a04e5a52429
- SHA256
  
  e2c21afe2ccd6e3d219780f268500bb8337d8b891e8595ec7c49ac35baac2057
- SHA512
  
  2cf848417755b906827eb26e42f84b8a454ea409855f3705d74e66f0f4340b8019d914e6616d302a69363a5f834a6e1ccb9a1f2b7887fa5a42bd11cae317beb4
Score

3^/10
behavioral4
- Target
  
  Cyberangreb/Repetatively/Fljtetndes.Gon250
- Size
  
  443KB
- MD5
  
  69a59c68e890f9d866c6acdf51a6bc96
- SHA1
  
  099307a65cb1a8b2f110fb95b88d4cf56934df81
- SHA256
  
  04fd426c8dc400ab632d71c6e745cf1d7ca4e22a1893095bbca798d644b05fd4
- SHA512
  
  fe3c99115c28553cdc47d7fb1f59cceeb701ff6f35ff325f27c34050fa3df898551d3d3125c46a18905ab3f23c29e4fe5453c62e6e27e4b230cf434871c2d48a
- SSDEEP
  
  1536:9sQ9i0/S03PC4cC5SC6x1fLdRT040NGsRQ3uRTU10hXhYEssgWG1j6ZmOVFIf4U3:niaqCNJAAqOVPgSTxTowpB6D
Score

3^/10
behavioral5
- Target
  
  Cyberangreb/Repetatively/Innovativeness151.jpg
- Size
  
  28KB
- MD5
  
  c9abf950b5ea7c4e30dd9f58fc96e8d2
- SHA1
  
  783b728f9c93a86a9524af93f9df2ec851a38a69
- SHA256
  
  7b1f375157924d100b36c83547fd9a070c5c2f99aa2821af7372d73dd34a264b
- SHA512
  
  c40dafa22a0d2aeab1757d1ef4a4d47a5a3098552c98ab1ca36a4c8d4eb6526acd632737ace30c04dd56c37f967b2477991db1a461bac329a26b6a050ea6a7be
- SSDEEP
  
  768:JPcUFwwqj73AuqAnmlcjknNblmP1CvYUI3dtz1VSA:JPcUsjHqOwxDYiA
Score

1^/10
behavioral6
- Target
  
  Cyberangreb/Repetatively/desorienteres.txt
- Size
  
  491B
- MD5
  
  663e26e192d34c89a21482f86a0cc079
- SHA1
  
  d50c89ddf76d97b7fff7afbb20fe698b820f35be
- SHA256
  
  79ab4370ca578d5fa793bfe1a3041d70b95855d3056594fa41edc00ecf416a20
- SHA512
  
  b9a84b48f8a8f733f10a88f285169eca7416e6fe1a2b51b73a4a4228c7a8781292dcbde1ff748ecd1e7ff14b743f3e0bf455ee3c1bd0bf2454b0e33b39a30fa3
Score

3^/10
behavioral7
- Target
  
  Cyberangreb/Repetatively/gennemskylnings.txt
- Size
  
  652B
- MD5
  
  790ebf2ac0ca4adcdb58e45d0a450dbc
- SHA1
  
  d18f698c2aa650d78ad5167e3b2b9953f54d3f8a
- SHA256
  
  c49f3f671b7cbf550040ea2dc10d462a46d87c7d62ca0f85c6cdfe86a42cecd2
- SHA512
  
  1f3d6ee159d0ee604d22a6565228f41c58fadcf141b8a69a277d70b8d74a3306205b3fc56c1f4d93873056bf29c68053305b55eea3b878a0c967739d224a445b
Score

3^/10
behavioral8
- Target
  
  Cyberangreb/Repetatively/gerry.pad
- Size
  
  28KB
- MD5
  
  766d9ef7530d23758f482b0ab2b54788
- SHA1
  
  c430e21b1463eceb32d05c6f0909d9821c27a3e7
- SHA256
  
  7ba4160056fb1b321e5859a9aa1f9c277b9c798b968c34e735f5222710e7ed09
- SHA512
  
  5bc154b564af204c25d2e7651e3c4c9f9263c3e6a88f149ddbe9892baf0b26079e171aebac4dd334ee8192ec4f2c5d510536a2287ad1eea5bd357aaafabad68f
- SSDEEP
  
  192:vp3MOAy7WiXB2O1NUcFWb38pStMMI81jeUWBmSF//LzzIxj13gjwKWuQ6SSph7NC:x3vArO7WwNM/JUZe3gjw36z7A
Score

3^/10
behavioral9
- Target
  
  Cyberangreb/Repetatively/inkassogebyrers.txt
- Size
  
  602B
- MD5
  
  ac5918c28b077c9134d607dd4da5c7d8
- SHA1
  
  0b6e4cd64998d4a6bdcbd6698f1388bb0b4f204d
- SHA256
  
  7a0296f17e8bded15e306321af16a537dfe424ea806bda138402c11453c27e1d
- SHA512
  
  0b83b999a6ee4fd22604df2ed2610403abeaa24aa0926db61c91f63b9477a0aa63da1ac8b6c2de348f523e7ed4c414cd28a30b75e8b6faded2c2431d5f6a6f5e
Score

3^/10
behavioral10
- Target
  
  Cyberangreb/Repetatively/klasikkens.txt
- Size
  
  497B
- MD5
  
  349c3014ad27290cecaf439303816708
- SHA1
  
  33c07d049a06eda444a3ab12e4e935d61618adc8
- SHA256
  
  7aea294fbdc4cfa3972c4bf45a2c787f38174b5a0e8a3c2ab45acb0fc5b5d120
- SHA512
  
  801b190430e8fbed64d7ee2e1bcaa2a35651e5c261d79726e93668d7f13dea58d8ccd34edbca3fd4340b219ab1fa75cb2f58adae2ef79741c8886462a6a16fce
Score

3^/10
behavioral11
- Target
  
  Cyberangreb/Repetatively/opdateringssiderne.int
- Size
  
  487KB
- MD5
  
  a751d549670670f890f5a08cc4f5a4d6
- SHA1
  
  c44d434264f7dae94c0d5a7fb58053d81b99391d
- SHA256
  
  d05e57bc53965ea455c243b24bd34a5549ed8f08698c834a411435f0eb9f893d
- SHA512
  
  03fdfe35fc7d8dd0bf02e7e78c7d69b989a6a495bd4ecbdd34c1012ae82b7abfdbe8fc30b82705bf54bdbd0f2493f7a04f78f9fa15809a8461ad556b8a584aa8
- SSDEEP
  
  1536:n9B+wZ0kdeJjeICC3gnX++yF9zMVwwC6mfPWc:n950dCqaXFyPzM1mfB
Score

3^/10
behavioral12
- Target
  
  Cyberangreb/Repetatively/pataca.rei
- Size
  
  265KB
- MD5
  
  cce99d8b4c78640993aa75d7c428d061
- SHA1
  
  6c4f21368687d9a2c8423032bcc8e0ed3227da07
- SHA256
  
  33d5edae3829ef41e644cd76d9bc5f8386420513bd254ca7ab4a88c5c615810c
- SHA512
  
  47ed14565c2d4208f66a7ae070454243f26d06c72f784b9c8675ba172a0b94cf85868778e8de07f12abe6078a29d58a833fa269bfd82cd47a01e9e4601730836
- SSDEEP
  
  768:KtofaHIEDu5ffzIabBiHt/tAr4ajzjk8NG4GwGuV0VXHfR:1faDwfzIaAYDjk8gXfR
Score

3^/10
behavioral13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader family

Guloader,Cloudeye

VIPKeylogger

Vipkeylogger family

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13