guloader | 04a48f1ea58d9e0ee540bfe7cc4c0117c3724c91424c2afd35fcce4f88db7782

General

Target

file.exe
Size

643KB
Sample

230612-rlpmsace29
MD5

e03a07b14036db47894ae0f73fd0fb3b
SHA1

6366abda03ba3e96ce34faf19180791678bbf308
SHA256

04a48f1ea58d9e0ee540bfe7cc4c0117c3724c91424c2afd35fcce4f88db7782
SHA512

8a7bd2903651009bda05b6f11c5d86477cb6c008e5e35521c008d1597e3adc78d8c1339c9716f50eb8a847a60e57ae9841b40f18bd13e09ac9a010f49e731da6
SSDEEP

6144:o9X0GSN2TRZV13cWT6MyjVRjmdStA21cogHwT3bRojTdQFVvFr1OsYTFhaIz+dfm:e0uph0B1DYTazjFBJESXNnQkC

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://194.180.48.58/black/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  file.exe
- Size
  
  643KB
- MD5
  
  e03a07b14036db47894ae0f73fd0fb3b
- SHA1
  
  6366abda03ba3e96ce34faf19180791678bbf308
- SHA256
  
  04a48f1ea58d9e0ee540bfe7cc4c0117c3724c91424c2afd35fcce4f88db7782
- SHA512
  
  8a7bd2903651009bda05b6f11c5d86477cb6c008e5e35521c008d1597e3adc78d8c1339c9716f50eb8a847a60e57ae9841b40f18bd13e09ac9a010f49e731da6
- SSDEEP
  
  6144:o9X0GSN2TRZV13cWT6MyjVRjmdStA21cogHwT3bRojTdQFVvFr1OsYTFhaIz+dfm:e0uph0B1DYTazjFBJESXNnQkC
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Lokibot

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2