guloader | 3be658e5c91bcbded0777881592d53f65b182857a6dabf30c58245921272aae2

General

Target

baca046e0c5667c8f2781be323953335.exe
Size

1.3MB
Sample

230611-ztv4jaaf8y
MD5

baca046e0c5667c8f2781be323953335
SHA1

3ccd08ff28588cc26ea52a783c7202610ae832ca
SHA256

3be658e5c91bcbded0777881592d53f65b182857a6dabf30c58245921272aae2
SHA512

5466b7184bf12ebbc28ad7266292ed1039760c1fec509b705455d0bae50876c728852e686b3c15c723e752cbbb52b349aaea11612da502dbf81c4bf46112af64
SSDEEP

24576:sPwOYizPEUm1z0E6G3VibpHIdebodR6jlKFtQVUv+iP8o79bO+3:sVxEUZG32poHRS2tQuWikK9j3

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.60/bis/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  baca046e0c5667c8f2781be323953335.exe
- Size
  
  1.3MB
- MD5
  
  baca046e0c5667c8f2781be323953335
- SHA1
  
  3ccd08ff28588cc26ea52a783c7202610ae832ca
- SHA256
  
  3be658e5c91bcbded0777881592d53f65b182857a6dabf30c58245921272aae2
- SHA512
  
  5466b7184bf12ebbc28ad7266292ed1039760c1fec509b705455d0bae50876c728852e686b3c15c723e752cbbb52b349aaea11612da502dbf81c4bf46112af64
- SSDEEP
  
  24576:sPwOYizPEUm1z0E6G3VibpHIdebodR6jlKFtQVUv+iP8o79bO+3:sVxEUZG32poHRS2tQuWikK9j3
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Lokibot

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2