guloader | 6d3df181ffbb8c0b15c08aed7b74ff3bd81bb41d356c7e5249f720d04e14f99b

General

Target

184285013-044310-Factura pendiente.zip
Size

559KB
Sample

230327-rw4vfsdh38
MD5

2753522889f3d3938c9f6dd69b66dafa
SHA1

649d87148965f0a5ecde58b8ccc6fd90316bfd95
SHA256

6d3df181ffbb8c0b15c08aed7b74ff3bd81bb41d356c7e5249f720d04e14f99b
SHA512

09499dad99213347064dc24487cbe0295ece527f11049248221b3a9d39b6fb5783bef0d2ad43a3be4f6564d7aa2a3acc8bd7fe16e096b341418578f985541b66
SSDEEP

12288:+63gIueiQm6IkMiNUEl3+Zrl0a9D+qnDSXALnWocaLqw:+6weRm6jMWV3+JD+qOGn

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.eversafe.pt
Port:
587
Username:
pulqueriamonteiro@eversafe.pt
Password:
Ev3rsaf3_2021
Email To:
williamsmith8135@gmail.com

Targets

- Target
  
  184285013-044310-Factura pendiente.exe
- Size
  
  686KB
- MD5
  
  639ea89052d1e5e3b27bb26e4641a33f
- SHA1
  
  232f7c7c342a6f8935719aaa66cb5b30ee14baf0
- SHA256
  
  6966144426edc4d696a5cae07695d56532e5c960c845fe1c1c9efdaddb130754
- SHA512
  
  e6bfe76258f13b95fa62b4b5ca7052f2f9c1df115cd15e765f505e73843825006a349ec496ced444870a0fc9bb6c58207bf8398810228422c5f8924b3499fdad
- SSDEEP
  
  12288:PMw4EAPcLqtueAQQ6CkGi1UET3yZrn0aHDyq9DSXALFWUcaLUZ:PMwtAPcLqEenQ6dGIj3yBDyq0GKZ
Score

10^/10

guloader snakekeylogger collection downloader keylogger stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Snake Keylogger

Snake Keylogger payload

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2