guloader | 03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9

General

Target

RFQ_2414976·pdf.vbs
Size

361KB
Sample

240416-sy7jssfc3t
MD5

a8bbe905610f17161af68ea8aab57592
SHA1

6a85ada10ba962b10c07955b2f73700842b4932b
SHA256

03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9
SHA512

07a76fd2257c22efb7858573035501ad0e9d55a380e7a213564bfe18eaa4f9f43e8f00a22d50b7d13a1ce9dc30ba1f234e131e03a14a67e91b27918c79059576
SSDEEP

6144:xnILaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP4:h5InOiAZvXAw

Score

10^/10

Malware Config

Targets

- Target
  
  RFQ_2414976·pdf.vbs
- Size
  
  361KB
- MD5
  
  a8bbe905610f17161af68ea8aab57592
- SHA1
  
  6a85ada10ba962b10c07955b2f73700842b4932b
- SHA256
  
  03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9
- SHA512
  
  07a76fd2257c22efb7858573035501ad0e9d55a380e7a213564bfe18eaa4f9f43e8f00a22d50b7d13a1ce9dc30ba1f234e131e03a14a67e91b27918c79059576
- SSDEEP
  
  6144:xnILaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP4:h5InOiAZvXAw
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2