guloader | da762d136b75581e1502e9bea3406880c6a1cf138d3c09885cc8977aac96ade9

General

Target

da762d136b75581e1502e9bea3406880c6a1cf138d3c09885cc8977aac96ade9
Size

932KB
Sample

250221-jak68awmdw
MD5

167248ff60de95841eb697a1c8bb1d6f
SHA1

bbdd61319267e23ab30c73a560e66c6aabd8e863
SHA256

da762d136b75581e1502e9bea3406880c6a1cf138d3c09885cc8977aac96ade9
SHA512

624eb24376fdf98a5ee9bd7c853e142e3af858833b52a6fd9b18c3d09a1a828f654c560acc8e71e7093e7516b99e0f6eedbac8773dd81b5bdf5eb265f91e3e71
SSDEEP

24576:WDX5hicOPwyYNwF923VnB2zzxVKAhbu/YhRXcOobXVzZMBtJug:WrK/wFNwFSnUJXZwYHeBVMDJug

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendMessage?chat_id=8173633564

Targets

- Target
  
  Overmelts.exe
- Size
  
  990KB
- MD5
  
  4a1f527399836a20e0c648007bd75c4f
- SHA1
  
  2155f638fc81a0ff83da6dbd57375ff7bb22d09e
- SHA256
  
  151e5e6525dafef00671528a54c639918f7598b0d0b36fa2de0bc92db585e7b1
- SHA512
  
  73170e38024e8658cf20a99106eef0bf2052d27c97fa871dfdac744e51f24f06cf9d2ad1cfe3ef7888128be552b72e429ab77b766109fe9c855856f830a7f39e
- SSDEEP
  
  24576:pG9BmJnN9a01Y2EiqFjIVkUINdOko/vrP:mBmJN9a0y3iqFEVHIN3oHrP
Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer collection spyware
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  b853d5d2361ade731e33e882707efc34
- SHA1
  
  c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be
- SHA256
  
  f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b
- SHA512
  
  8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69
- SSDEEP
  
  192:eA2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsEf:mS62Gw947ExuGDI7J8EF7KIE
Score

3^/10

discovery
behavioral3 behavioral4