guloader | e6d3f9dc2815e9f7604382a83ffe91cb49a32b2c7866ce9a321a1fb4c35c49e9 | Triage

Submit
Reports

Overview

overview

Static

static

1

sws.rtf

windows7-x64

sws.rtf

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

sws.doc
Size

27KB
Sample

230614-mn36qsga74
MD5

418aefdb083ce19b972f4573f3ed98ff
SHA1

bd9dde0f672a66ac0da55b00106c713aefe693f1
SHA256

e6d3f9dc2815e9f7604382a83ffe91cb49a32b2c7866ce9a321a1fb4c35c49e9
SHA512

0c564b655f0fe783951a1a105e479a799708c5e7269ec756fe3c5ac89f116394fbd8c924f3e11cfac051c87213032a9056568df63fa37d1920354e204fb76426
SSDEEP

768:xeXX2cCsj02PMV9v4ovzJeBAE9o8W7ShmIHVNR3GyOwmEU:xC2cCsY2EVJ4ovBD7ZCbcEU

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

sws.rtf

Resource

win7-20230220-en

guloader lokibot collection downloader spyware stealer trojan

windows7-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

sws.rtf

Resource

win10v2004-20230220-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/chang3/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  sws.doc
- Size
  
  27KB
- MD5
  
  418aefdb083ce19b972f4573f3ed98ff
- SHA1
  
  bd9dde0f672a66ac0da55b00106c713aefe693f1
- SHA256
  
  e6d3f9dc2815e9f7604382a83ffe91cb49a32b2c7866ce9a321a1fb4c35c49e9
- SHA512
  
  0c564b655f0fe783951a1a105e479a799708c5e7269ec756fe3c5ac89f116394fbd8c924f3e11cfac051c87213032a9056568df63fa37d1920354e204fb76426
- SSDEEP
  
  768:xeXX2cCsj02PMV9v4ovzJeBAE9o8W7ShmIHVNR3GyOwmEU:xC2cCsY2EVJ4ovBD7ZCbcEU
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectiondownloaderspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy