guloader | 4d102deeb0b15997e2197b8e69db45f5fe951c2b5091a5ccac7a8e26ea261652

General

Target

SOCSO_20230005324867·pdf.vbs
Size

255KB
Sample

231113-hlxhysah8w
MD5

f1e7be6402e721940bddf3f1d917aaf5
SHA1

6c04996641de91fc7adcf12d0791e2e9e174c856
SHA256

4d102deeb0b15997e2197b8e69db45f5fe951c2b5091a5ccac7a8e26ea261652
SHA512

3355c3501c262cb4cb47880abdbfdc82e7220bf02d982272bf54902526af2cf8e34faf546d4d13849822ae9c1325057eecc6088a45ee434b7c9e53d87e22347d
SSDEEP

6144:jb1IJnEsovnKtPiPPL8+MOyqBT0LgPnOtwybUnmQ:f1/nKKPLJMdfwyTQ

Score

10^/10

Malware Config

Targets

- Target
  
  SOCSO_20230005324867·pdf.vbs
- Size
  
  255KB
- MD5
  
  f1e7be6402e721940bddf3f1d917aaf5
- SHA1
  
  6c04996641de91fc7adcf12d0791e2e9e174c856
- SHA256
  
  4d102deeb0b15997e2197b8e69db45f5fe951c2b5091a5ccac7a8e26ea261652
- SHA512
  
  3355c3501c262cb4cb47880abdbfdc82e7220bf02d982272bf54902526af2cf8e34faf546d4d13849822ae9c1325057eecc6088a45ee434b7c9e53d87e22347d
- SSDEEP
  
  6144:jb1IJnEsovnKtPiPPL8+MOyqBT0LgPnOtwybUnmQ:f1/nKKPLJMdfwyTQ
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2