guloader | 8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbf | Triage

Sharing

General

Target

8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe
Size

235KB
Sample

230806-s4jpxsah38
MD5

9c47da2eaf8817c64de9cb8f51cb76d1
SHA1

f6401703f4daf98b106ef34d262c8e3f9bf7f4a5
SHA256

8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbf
SHA512

8b36090784316f58da10d5a115076f8a7de12fc39af117dab8abb29dfa60f5d8505d0d60857741a513d4ba2136beca1f5440365c7df6c7db562282400f2e1251
SSDEEP

6144:fqjIAZnS7kEw+IZKoOHk121yf6g8HzAt+u868L:KLnS7ijsxk1QykTe2N

Score

10^/10

guloader lokibot downloader spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://87.121.47.132/size/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe
- Size
  
  235KB
- MD5
  
  9c47da2eaf8817c64de9cb8f51cb76d1
- SHA1
  
  f6401703f4daf98b106ef34d262c8e3f9bf7f4a5
- SHA256
  
  8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbf
- SHA512
  
  8b36090784316f58da10d5a115076f8a7de12fc39af117dab8abb29dfa60f5d8505d0d60857741a513d4ba2136beca1f5440365c7df6c7db562282400f2e1251
- SSDEEP
  
  6144:fqjIAZnS7kEw+IZKoOHk121yf6g8HzAt+u868L:KLnS7ijsxk1QykTe2N
Score

10^/10

guloader lokibot downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotdownloaderspywarestealertrojan

behavioral2

guloaderlokibotdownloaderspywarestealertrojan