guloader | e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942

General

Target

e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942.exe
Size

205KB
Sample

230110-pz7peabg7z
MD5

920e6aa359e5a55f0eee6d64e21c502b
SHA1

c5643f4d1aed8ec169442d55bde2ad1e6b3dbe7c
SHA256

e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942
SHA512

c674f1cb9187db64b78dd08d94a15e0250f3e414ea2258b15ce6caa48c7185698ad7ce66bf2e255ad92db5b7e7cffaf34f90fc232660ac5333c624d7f3cc67f9
SSDEEP

6144:7BeJt6S7LVzwAFtpMI9l8cTpuBFrWFRjktOd8nJdf:K7LBNQmUzWPjQOd2T

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
bscppiX6
Email To:
[email protected]

Targets

- Target
  
  e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942.exe
- Size
  
  205KB
- MD5
  
  920e6aa359e5a55f0eee6d64e21c502b
- SHA1
  
  c5643f4d1aed8ec169442d55bde2ad1e6b3dbe7c
- SHA256
  
  e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942
- SHA512
  
  c674f1cb9187db64b78dd08d94a15e0250f3e414ea2258b15ce6caa48c7185698ad7ce66bf2e255ad92db5b7e7cffaf34f90fc232660ac5333c624d7f3cc67f9
- SSDEEP
  
  6144:7BeJt6S7LVzwAFtpMI9l8cTpuBFrWFRjktOd8nJdf:K7LBNQmUzWPjQOd2T
Score

10^/10

guloader snakekeylogger collection downloader keylogger stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Snake Keylogger

Snake Keylogger payload

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2