guloader | 9626a23f54ddd20eb8ca9b910f97954504f1676b71df8150f8f9a5e0d6072f88

General

Target

Confirmacinpedido1211073874.exe
Size

643KB
Sample

250414-sn41xs1vd1
MD5

7c012ccbe118eb2b08418c0bc8225052
SHA1

dd1c854c64a6d3e3265cc648d578c5f4acf4df8e
SHA256

9626a23f54ddd20eb8ca9b910f97954504f1676b71df8150f8f9a5e0d6072f88
SHA512

09d3bbbc1850fd8eb16fd7409ac269361dadf670cb887c38bd170c7da363d9e2cd97364e960152451690f0396dd3fef71a2add8c480e032d093e3bccc047fdfd
SSDEEP

12288:u+qBlcJ90annNzz5FZz/dops9FcUF8xaJ9BcHUepC2mCeubt1AW:u+qXWhNnBdopCcYcQBcHrC2mCek1AW

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
botellaconsultant.com
Port:
587
Username:
[email protected]
Password:
gab@06012019
Email To:
[email protected]

C2

https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103

Targets

- Target
  
  Confirmacinpedido1211073874.exe
- Size
  
  643KB
- MD5
  
  7c012ccbe118eb2b08418c0bc8225052
- SHA1
  
  dd1c854c64a6d3e3265cc648d578c5f4acf4df8e
- SHA256
  
  9626a23f54ddd20eb8ca9b910f97954504f1676b71df8150f8f9a5e0d6072f88
- SHA512
  
  09d3bbbc1850fd8eb16fd7409ac269361dadf670cb887c38bd170c7da363d9e2cd97364e960152451690f0396dd3fef71a2add8c480e032d093e3bccc047fdfd
- SSDEEP
  
  12288:u+qBlcJ90annNzz5FZz/dops9FcUF8xaJ9BcHUepC2mCeubt1AW:u+qXWhNnBdopCcYcQBcHrC2mCek1AW
Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  9b38a1b07a0ebc5c7e59e63346ecc2db
- SHA1
  
  97332a2ffcf12a3e3f27e7c05213b5d7faa13735
- SHA256
  
  8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
- SHA512
  
  26e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c
- SSDEEP
  
  192:kjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZ40QPi:U/Qlt7wiij/lMRv/9V4b4r
Score

3^/10

discovery
behavioral2