guloader | 611b1377897f574d551d52bdfd726a13818071fc8605c7af8d19b0d2384cab6d

General

Target

2fbe2d59c59fc956c1895f59757657dc.bin
Size

6KB
Sample

230322-bk75qsea75
MD5

7c4496089c7b5da2ed27c228cbb9e081
SHA1

3695ab2d4188a896e59cce5e7ab9a9e6f8e15602
SHA256

611b1377897f574d551d52bdfd726a13818071fc8605c7af8d19b0d2384cab6d
SHA512

363b2b4ae429b50fefd5ce629e1d480b17692df6f7daab66e4dc6f34cd74b504889ebbef9bdf94766a6c9cb427cf7bf947f3f4f380c0ee8246c32e93aaf4c075
SSDEEP

96:M9bP4H5kCvT3blukYkvID7eI4H96AH+HCHw7p+527XXzRXXUajRFiROB8O2z9B:MKHeCvfkkYFDiI4HXeV74Y1ESFiq2zz

Score

10^/10

Malware Config

Targets

- Target
  
  BBVA REMITANCE PDF.vbs
- Size
  
  11KB
- MD5
  
  a3e1e0656418b73ed6c01a5e81cab3fe
- SHA1
  
  eaf764c590b1e8bf83c6099025800cb2659c88d1
- SHA256
  
  7cdead7bbbb2d7719151b78fca01d9edd4811852c14cdf3034926db09afadeff
- SHA512
  
  88b2218c4d2fc0f377d4d032a281b9570dc121219d573e5a12ced33420dc48dad2528e7b4e39f974ebe6c74155dcebef9818a053312291c2a470ff25f15dbfef
- SSDEEP
  
  192:UueqaOrAY2CyGlxgL4rMS2octfPVYS/1UTKeZ7AkDnA4m0H:UbqayAPbGlxg0rWtHSS/1U/tAknH
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2