Overview

overview

10

Static

static

SecuriteIn...23.exe

windows7_x64

10

SecuriteIn...23.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.7523.23738

  • Size

    304KB

  • Sample

    220705-qaxctabcg6

  • MD5

    2f779b2196af55484be830b22eda9dca

  • SHA1

    a6e6a3d2b92abc988e82e254705c01d6357d1b4e

  • SHA256

    e7ee8ff4872d57b2fba736ee6556e3f92a3fc1c3c8738c50cc8b1e6acbb4379f

  • SHA512

    03c71e113a5ad18c877e2089cafc4541350372237bf022c5a4f0e9ac9e10122513c94c2097c09955d8cec9b1a75c04ee870c7b1f65dd2f7243a4ec4960fd0c36

Score
10/10
guloaderlokibotcollectiondiscoverydownloaderspywarestealersuricatatrojan

Malware Config

Targets

    • Target

      SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.7523.23738

    • Size

      304KB

    • MD5

      2f779b2196af55484be830b22eda9dca

    • SHA1

      a6e6a3d2b92abc988e82e254705c01d6357d1b4e

    • SHA256

      e7ee8ff4872d57b2fba736ee6556e3f92a3fc1c3c8738c50cc8b1e6acbb4379f

    • SHA512

      03c71e113a5ad18c877e2089cafc4541350372237bf022c5a4f0e9ac9e10122513c94c2097c09955d8cec9b1a75c04ee870c7b1f65dd2f7243a4ec4960fd0c36

    Score
    10/10
    guloaderlokibotcollectiondiscoverydownloaderspywarestealersuricatatrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks