guloader | edb5e261d0c9d4b6280ebfaaa6449795ef5073c305d5ce4b46012735829a8bc2

General

Target

nConfirmaci_n_de_pago.tar
Size

962KB
Sample

250226-w3zljaytex
MD5

f58460452471e09af1c99a5709bfd5b1
SHA1

5e9ad00c9abb7f0136ccae777102bf5dc908c7f7
SHA256

edb5e261d0c9d4b6280ebfaaa6449795ef5073c305d5ce4b46012735829a8bc2
SHA512

b30e5a46be9c23a1fb7eb8348de10e131dc5c123ddf8ae1bfa17717494348c625cefc2cc552c1d76bc11c4bc0e25947d66a27ad9286aa360386b756bc217b0fe
SSDEEP

24576:qfYzitFHRydnB0Bhc2aK9bplo0EOlyGmsYu8g7++072+W7:4Yy+BMhXlrEpG8u8gsw

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7040312407:AAFWVlSIzsmV7GmLpQj1tUsYJkbKZM5-bUU/sendMessage?chat_id=7763958191

Targets

- Target
  
  Confirmación-de-pago.exe
- Size
  
  960KB
- MD5
  
  8e9d033337f8e059eaefe649a4197be6
- SHA1
  
  37efe644c5422c1a0e02be021d98e4be73271e78
- SHA256
  
  fd0dc24eaa5dd665cd3f607db673628f63c248b1bf0e202cb2fe7ecf3d2c2570
- SHA512
  
  805c0371323865dc4528c6b06b416150a0b1184b2f2e63eb4ad3beca28eca054b18995847bcebe0b0132d9f21e838020018f302ce5cc79f7fdd4f1062abd7f0c
- SSDEEP
  
  24576:DfYzitFHRydnB0Bhc2aK9bplo0EOlyGmsYu8g7++072+W7W:rYy+BMhXlrEpG8u8gswW
Score

10^/10

discovery guloader vipkeylogger collection downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  192639861e3dc2dc5c08bb8f8c7260d5
- SHA1
  
  58d30e460609e22fa0098bc27d928b689ef9af78
- SHA256
  
  23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
- SHA512
  
  6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
- SSDEEP
  
  192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
Score

3^/10

discovery
behavioral3 behavioral4