guloader | 6a872532ca240daaf8bd0b676678bfdfcad6f0c72c58f675574d3a1f471bea9f | Triage

Submit
Reports

Overview

overview

Static

static

1

67fbf9f34c...58.vbs

windows7-x64

67fbf9f34c...58.vbs

windows10-2004-x64

Sharing

General

Target

fe62c58bcc975e7ebbd268b44a518785.bin
Size

155KB
Sample

240418-ch92zsgc65
MD5

e19b2648d1afa5e0e8c60bc4bb77b581
SHA1

48ff6d5a821ba8346eb1a06a8df22a0df09bf1f6
SHA256

6a872532ca240daaf8bd0b676678bfdfcad6f0c72c58f675574d3a1f471bea9f
SHA512

485200a7250254d89e722f6093225dcf850e8079120f059bec8688fc766e7e33953eb286902b90d476dff554fed46a284e2972ec30fa61ae94d7e6d131349c9f
SSDEEP

3072:73+m1bzjML2XjlZPfsqD0YMJdXp4yqdZ76qpFroA+V1G5iBojTrpHSWqSI:PfM6J5fIYMJFp4yqzeq3revG5iKTN9qz

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs

Resource

win7-20240221-en

guloader lokibot collection downloader spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs

Resource

win10v2004-20240412-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Targets

- Target
  
  67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs
- Size
  
  361KB
- MD5
  
  fe62c58bcc975e7ebbd268b44a518785
- SHA1
  
  696f215f0abe6f1513ddd0a6e8235d99fa5da7fe
- SHA256
  
  67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58
- SHA512
  
  5d70692b8c4b95c61d08c07b1eff6d98ebf58692a10af71281a1fba06a94cb25102803bf1776a5546798427b7a4a76bf62bd3538ed7e7a063f27326df484cc80
- SSDEEP
  
  6144:6Q1LaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP/:bKInOiANKdGs
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloaderlokibotcollectiondownloaderspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy