guloader | 1b3b9f0c7a82fa5f4e656376d971581211ba332c7857ee114365fecca818b863

General

Target

Recibos.exe
Size

681KB
Sample

250414-sew9qa1tcy
MD5

3203fe67417ccd0ba749ceb720f680e9
SHA1

343a8c2ac8ae34afc1b343490d256943021f08d1
SHA256

1b3b9f0c7a82fa5f4e656376d971581211ba332c7857ee114365fecca818b863
SHA512

c2c3c9e2415bd0abd3db236c72613635a4054cf014fef54d72e48de7bcc169041b6b8d551cf06c07c9dd985c59e2de1eaec436befa443768940bcdfc52fb0521
SSDEEP

12288:q+qkDlXDwOiNuB2WPFwl5Lmpb3vliE4mCeuiBnKINft1AN:q+qkBwhNoVqHmtfCmCeHPNF1AN

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019
Email To:
[email protected]

C2

https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103

Targets

- Target
  
  Recibos.exe
- Size
  
  681KB
- MD5
  
  3203fe67417ccd0ba749ceb720f680e9
- SHA1
  
  343a8c2ac8ae34afc1b343490d256943021f08d1
- SHA256
  
  1b3b9f0c7a82fa5f4e656376d971581211ba332c7857ee114365fecca818b863
- SHA512
  
  c2c3c9e2415bd0abd3db236c72613635a4054cf014fef54d72e48de7bcc169041b6b8d551cf06c07c9dd985c59e2de1eaec436befa443768940bcdfc52fb0521
- SSDEEP
  
  12288:q+qkDlXDwOiNuB2WPFwl5Lmpb3vliE4mCeuiBnKINft1AN:q+qkBwhNoVqHmtfCmCeHPNF1AN
Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  9b38a1b07a0ebc5c7e59e63346ecc2db
- SHA1
  
  97332a2ffcf12a3e3f27e7c05213b5d7faa13735
- SHA256
  
  8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
- SHA512
  
  26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c
- SSDEEP
  
  192:kjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZ40QPi:U/Qlt7wiij/lMRv/9V4b4r
Score

3^/10

discovery
behavioral2