guloader | 07fbccab3124ab65980a177e294d10fdfdd1109cff3c618dc88e43489370d7de

General

Target

07fbccab3124ab65980a177e294d10fdfdd1109cff3c618dc88e43489370d7de.vbs
Size

673KB
Sample

240409-bde6dahc56
MD5

63d0112620a2fbdf45054eb6e76272fd
SHA1

84688e43791d3894f677e06a21e2b7620af4fc6c
SHA256

07fbccab3124ab65980a177e294d10fdfdd1109cff3c618dc88e43489370d7de
SHA512

bf7b66fcb7d5de7aab712956812ef0cfa1407ad7819b2090711b566a2084762bc2c8ff60e544de830ef54c4fe17c3509647a73eafe3b3933da4b6ef1071a7423
SSDEEP

12288:0DGOTYy5NHBv1EV2G96irLVoPBiSl0aAsNOPD:0CO1XHBOQm6irLfSlX2

Score

10^/10

Malware Config

Targets

- Target
  
  07fbccab3124ab65980a177e294d10fdfdd1109cff3c618dc88e43489370d7de.vbs
- Size
  
  673KB
- MD5
  
  63d0112620a2fbdf45054eb6e76272fd
- SHA1
  
  84688e43791d3894f677e06a21e2b7620af4fc6c
- SHA256
  
  07fbccab3124ab65980a177e294d10fdfdd1109cff3c618dc88e43489370d7de
- SHA512
  
  bf7b66fcb7d5de7aab712956812ef0cfa1407ad7819b2090711b566a2084762bc2c8ff60e544de830ef54c4fe17c3509647a73eafe3b3933da4b6ef1071a7423
- SSDEEP
  
  12288:0DGOTYy5NHBv1EV2G96irLVoPBiSl0aAsNOPD:0CO1XHBOQm6irLfSlX2
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2