guloader | 56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0

General

Target

Request for Proposal Quote_2414976·pdf.vbs
Size

363KB
Sample

240418-xr3dqadd3s
MD5

4c0d5b830080aa8b72546a6d7f924aca
SHA1

d061aa6f577e894eb58fd4bc64b366e2e7919630
SHA256

56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
SHA512

c87b174d0e027f6f85be7669e16b1430531f7880d507ebd1cec55f159fb71bf3ede586001c8a32424886e74dc3477b09d1108c133f75441575cf2d6c896d7d7d
SSDEEP

6144:1qJLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPE:4uInOi5cI5E0k

Score

10^/10

Malware Config

Targets

- Target
  
  Request for Proposal Quote_2414976·pdf.vbs
- Size
  
  363KB
- MD5
  
  4c0d5b830080aa8b72546a6d7f924aca
- SHA1
  
  d061aa6f577e894eb58fd4bc64b366e2e7919630
- SHA256
  
  56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
- SHA512
  
  c87b174d0e027f6f85be7669e16b1430531f7880d507ebd1cec55f159fb71bf3ede586001c8a32424886e74dc3477b09d1108c133f75441575cf2d6c896d7d7d
- SSDEEP
  
  6144:1qJLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPE:4uInOi5cI5E0k
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2