guloader | 03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9 | Triage

Submit
Reports

Overview

overview

Static

static

1

RFQ_2414976·pdf.vbs

windows7-x64

RFQ_2414976·pdf.vbs

windows10-2004-x64

8

Sharing

General

Target

RFQ_2414976·pdf.vbs
Size

361KB
Sample

240416-sy7jssfc3t
MD5

a8bbe905610f17161af68ea8aab57592
SHA1

6a85ada10ba962b10c07955b2f73700842b4932b
SHA256

03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9
SHA512

07a76fd2257c22efb7858573035501ad0e9d55a380e7a213564bfe18eaa4f9f43e8f00a22d50b7d13a1ce9dc30ba1f234e131e03a14a67e91b27918c79059576
SSDEEP

6144:xnILaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP4:h5InOiAZvXAw

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQ_2414976·pdf.vbs

Resource

win7-20240221-en

guloader lokibot collection downloader spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ_2414976·pdf.vbs

Resource

win10v2004-20240412-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  RFQ_2414976·pdf.vbs
- Size
  
  361KB
- MD5
  
  a8bbe905610f17161af68ea8aab57592
- SHA1
  
  6a85ada10ba962b10c07955b2f73700842b4932b
- SHA256
  
  03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9
- SHA512
  
  07a76fd2257c22efb7858573035501ad0e9d55a380e7a213564bfe18eaa4f9f43e8f00a22d50b7d13a1ce9dc30ba1f234e131e03a14a67e91b27918c79059576
- SSDEEP
  
  6144:xnILaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP4:h5InOiAZvXAw
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectiondownloaderspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy