guloader | d7439af0827a632fe9730a7dd2585a2fb5b0af71c312cdeb49e6a738a9133400

General

Target

d7439af0827a632fe9730a7dd2585a2fb5b0af71c312cdeb49e6a738a9133400.exe
Size

539KB
Sample

241023-caf4yaxcpr
MD5

4183d5786fe2a0e4563c5a0cf57d92f6
SHA1

2fc414de34b92a56712c6684c84af970037b81f5
SHA256

d7439af0827a632fe9730a7dd2585a2fb5b0af71c312cdeb49e6a738a9133400
SHA512

8d86235c4d4060d656a1a2349a43e7ddfc9d036d476dbf8b9d404af060b754eb33bdc74ee03881f769fd19a60b87daefc696e48ee33f40b1e24f358dfe9a87fc
SSDEEP

12288:DMq47lWuTq/3dOxotjTps+ZHmkHN3HiPCpfBVxe:I/WuTsoWt1HnHpHiwVI

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.mgcconstrucciones.com.co
Port:
587
Username:
[email protected]
Password:
Mgonzalez@2021.
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.mgcconstrucciones.com.co
Port:
587
Username:
[email protected]
Password:
Mgonzalez@2021.

Targets

- Target
  
  d7439af0827a632fe9730a7dd2585a2fb5b0af71c312cdeb49e6a738a9133400.exe
- Size
  
  539KB
- MD5
  
  4183d5786fe2a0e4563c5a0cf57d92f6
- SHA1
  
  2fc414de34b92a56712c6684c84af970037b81f5
- SHA256
  
  d7439af0827a632fe9730a7dd2585a2fb5b0af71c312cdeb49e6a738a9133400
- SHA512
  
  8d86235c4d4060d656a1a2349a43e7ddfc9d036d476dbf8b9d404af060b754eb33bdc74ee03881f769fd19a60b87daefc696e48ee33f40b1e24f358dfe9a87fc
- SSDEEP
  
  12288:DMq47lWuTq/3dOxotjTps+ZHmkHN3HiPCpfBVxe:I/WuTsoWt1HnHpHiwVI
Score

10^/10

guloader snakekeylogger collection discovery downloader keylogger spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  cf85183b87314359488b850f9e97a698
- SHA1
  
  6b6c790037eec7ebea4d05590359cb4473f19aea
- SHA256
  
  3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
- SHA512
  
  fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b
- SSDEEP
  
  96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug
Score

3^/10

discovery
behavioral3 behavioral4