guloader | 7d9639376d9c7dcecfdf494950100a6d04238a7d510d65c4b52225b634073b24

General

Target

7d9639376d9c7dcecfdf494950100a6d04238a7d510d65c4b52225b634073b24.exe
Size

677KB
Sample

250222-e3n2csxng1
MD5

cfd2a2a0de8c10180319835f2c148578
SHA1

a685193f4a254f4a67d116120c870f827d83b561
SHA256

7d9639376d9c7dcecfdf494950100a6d04238a7d510d65c4b52225b634073b24
SHA512

a423f5abf8ff6b7caa625cb292760f08839527352dde9808f8c73b2d7e5f76d5c7e6f4d997054c39a9375a02a74b044a89efd4dae9e7ad0a4c835c8ae83ca259
SSDEEP

12288:Xa/AcZ6qJ2s1+pBOi+jWtpXpUtvntYRo0/vzwZ2XdgjPEmADNA0EpphZNG2K:X4Z6SQB5+ypXGL4oyszjsmY0K

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendMessage?chat_id=8173633564

Targets

- Target
  
  7d9639376d9c7dcecfdf494950100a6d04238a7d510d65c4b52225b634073b24.exe
- Size
  
  677KB
- MD5
  
  cfd2a2a0de8c10180319835f2c148578
- SHA1
  
  a685193f4a254f4a67d116120c870f827d83b561
- SHA256
  
  7d9639376d9c7dcecfdf494950100a6d04238a7d510d65c4b52225b634073b24
- SHA512
  
  a423f5abf8ff6b7caa625cb292760f08839527352dde9808f8c73b2d7e5f76d5c7e6f4d997054c39a9375a02a74b044a89efd4dae9e7ad0a4c835c8ae83ca259
- SSDEEP
  
  12288:Xa/AcZ6qJ2s1+pBOi+jWtpXpUtvntYRo0/vzwZ2XdgjPEmADNA0EpphZNG2K:X4Z6SQB5+ypXGL4oyszjsmY0K
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10

discovery
behavioral3 behavioral4