guloader | dccae97e898c8c65ac554cb645b8331e3f73c0ae70792b676094d5437ee0b256

General

Target

Shipwrightry217.rar
Size

525KB
Sample

230322-r7bcaahd62
MD5

a814894090dc2c08c1bddd5948f4a57a
SHA1

6660e45a8a8fdf165082200bde1ab505c24cb603
SHA256

dccae97e898c8c65ac554cb645b8331e3f73c0ae70792b676094d5437ee0b256
SHA512

4c0c8174a7658e8c831191fbb62940fbf03135e2cb1bc8f0a021a5cf81e6933c12b1efef04aa34ccef0bc1c87393572eb5ffd399a148ca190eda2521b8242bcc
SSDEEP

12288:w9mW7WwYF4y8OJIeBwJ/i4EZ18/AX+mycBiIvfG4p1RBUA:KmAYiy8OJIzRKGAi4iotGA

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/biggy/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Shipwrightry217.exe
- Size
  
  554KB
- MD5
  
  f8907e4492367a471d4883b2bb07c2ce
- SHA1
  
  eced4f9dd7e9dea0d6836753cc55042dac7b9aab
- SHA256
  
  4ec2fd690c7b8eca3ef9a7a2624672f7ef09f75985922656ab588062ec1212ed
- SHA512
  
  b1ce16feb0062baf2744848a752b7baf8326776b0594233b17c280316c7b4d39a3d01df48037eb049c95cbb708416ca9e41911a449a610e627358902283bfa3c
- SSDEEP
  
  12288:cqp+8Qve8l8/bB84fFVubbn8XfG0xTzLSS0/K779NKKc06Kux:48Ue8l86GFIbn8XppF58h06Kux
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Lokibot

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2