guloader | e7334a104ba3b4c39a0e71438eee5137eec26d9aed9fa402a3a5001466ca4b6a

General

Target

Amani.exe
Size

539KB
Sample

250414-qgk85axny9
MD5

8789e689a6443fe852327c9df51a4eac
SHA1

dc40c41ac6af078bdfeacd654312d40e01dd7611
SHA256

e7334a104ba3b4c39a0e71438eee5137eec26d9aed9fa402a3a5001466ca4b6a
SHA512

09dd9f5b1b89953ff4e318b491bc4a396be0da67a24f1ad3b4ff2e5cb2f543ab606a427587af8763c2b9dcbe8e8e4a982f2797344e4ad2ada1475e85fdb7e4c9
SSDEEP

12288:T22OeblL4g2gAbaSHjo59kSbi51ImxoHQXJh7EaavEgs8QuUH:TTOeh4gSAGSbi/VxzL7EbvWZd

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
aacrianca.pt
Port:
587
Username:
[email protected]
Password:
ec98ret4

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
aacrianca.pt
Port:
587
Username:
[email protected]
Password:
ec98ret4
Email To:
[email protected]

Targets

- Target
  
  Amani.exe
- Size
  
  539KB
- MD5
  
  8789e689a6443fe852327c9df51a4eac
- SHA1
  
  dc40c41ac6af078bdfeacd654312d40e01dd7611
- SHA256
  
  e7334a104ba3b4c39a0e71438eee5137eec26d9aed9fa402a3a5001466ca4b6a
- SHA512
  
  09dd9f5b1b89953ff4e318b491bc4a396be0da67a24f1ad3b4ff2e5cb2f543ab606a427587af8763c2b9dcbe8e8e4a982f2797344e4ad2ada1475e85fdb7e4c9
- SSDEEP
  
  12288:T22OeblL4g2gAbaSHjo59kSbi51ImxoHQXJh7EaavEgs8QuUH:TTOeh4gSAGSbi/VxzL7EbvWZd
Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10

discovery
behavioral2