guloader | e2f347dbc5b3cf28a213b4c35d5c17d87658a065d28dc818b34b403ab0e0e67e

General

Target

tmp
Size

567KB
Sample

230601-g2lwqadd7x
MD5

c8007c3ce22859007c4678adeb600457
SHA1

6e7fa22dcf0b9321203600bdbcb788d8b5fe83e6
SHA256

e2f347dbc5b3cf28a213b4c35d5c17d87658a065d28dc818b34b403ab0e0e67e
SHA512

3af09d5096f94d307f51417ad6c339de44761f65d4f0f580c995623dac53d2cc463d2e8a20044ea1944e1a7886d279f7efa999741f1bbd531c626a8727953011
SSDEEP

6144:sBeZKbBMMlpM43J4KjvPZ3MqPHkSghgWK7Kp1QFDNPmU/:XaBFpMOJtDB3Lv8xfeJmW

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://dropbuyinc.ga/

http://omacrestinc.ga/

rc4.i32

Targets

- Target
  
  tmp
- Size
  
  567KB
- MD5
  
  c8007c3ce22859007c4678adeb600457
- SHA1
  
  6e7fa22dcf0b9321203600bdbcb788d8b5fe83e6
- SHA256
  
  e2f347dbc5b3cf28a213b4c35d5c17d87658a065d28dc818b34b403ab0e0e67e
- SHA512
  
  3af09d5096f94d307f51417ad6c339de44761f65d4f0f580c995623dac53d2cc463d2e8a20044ea1944e1a7886d279f7efa999741f1bbd531c626a8727953011
- SSDEEP
  
  6144:sBeZKbBMMlpM43J4KjvPZ3MqPHkSghgWK7Kp1QFDNPmU/:XaBFpMOJtDB3Lv8xfeJmW
Score

10^/10

guloader smokeloader backdoor discovery downloader trojan collection
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

SmokeLoader

Checks QEMU agent file

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2