guloader | c9e13cac0c279e2e8dbf89b9b105522c36ef2959d0edf4b01f2412a4dc382504

General

Target

Factura Honorarios.exe
Size

676KB
Sample

250414-j4ddgatyds
MD5

06f11fae2c47c5ab2284fefcc1b2d857
SHA1

5ac3754e85334b7efbb7cfd85f355f4accc5d0a8
SHA256

c9e13cac0c279e2e8dbf89b9b105522c36ef2959d0edf4b01f2412a4dc382504
SHA512

e50b6a6bccc6bd8bf137da95c4f6306aee08b59e163c08d9e07c6fb238eb5b613f2244a1c57a35b35b54106bf531867c5b258fcb00f6e087121d2546e1204288
SSDEEP

12288:p+q1gzPJzfmf5yNA3PnuNDhxeI82jkxKhVERZmCeuCHxdt1AS:p+q1gt651n0h0ekx+8ZmCeF1AS

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103

Targets

- Target
  
  Factura Honorarios.exe
- Size
  
  676KB
- MD5
  
  06f11fae2c47c5ab2284fefcc1b2d857
- SHA1
  
  5ac3754e85334b7efbb7cfd85f355f4accc5d0a8
- SHA256
  
  c9e13cac0c279e2e8dbf89b9b105522c36ef2959d0edf4b01f2412a4dc382504
- SHA512
  
  e50b6a6bccc6bd8bf137da95c4f6306aee08b59e163c08d9e07c6fb238eb5b613f2244a1c57a35b35b54106bf531867c5b258fcb00f6e087121d2546e1204288
- SSDEEP
  
  12288:p+q1gzPJzfmf5yNA3PnuNDhxeI82jkxKhVERZmCeuCHxdt1AS:p+q1gt651n0h0ekx+8ZmCeF1AS
Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  9b38a1b07a0ebc5c7e59e63346ecc2db
- SHA1
  
  97332a2ffcf12a3e3f27e7c05213b5d7faa13735
- SHA256
  
  8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
- SHA512
  
  26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c
- SSDEEP
  
  192:kjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZ40QPi:U/Qlt7wiij/lMRv/9V4b4r
Score

3^/10

discovery
behavioral2