guloader | 146df2a253cdb3aa1bcbcfbea834449df1f15c6f6091c0b3e5249128bdf663bb

General

Target

4c0d5b830080aa8b72546a6d7f924aca.bin
Size

155KB
Sample

240420-ble6cace26
MD5

9c71519e55250c94e60ba2cb81bbb804
SHA1

e505888316634c331c11b720fbbaea66dd57a9e3
SHA256

146df2a253cdb3aa1bcbcfbea834449df1f15c6f6091c0b3e5249128bdf663bb
SHA512

bec89e2592f1b4e0f41ff4608a9575c927f27f6dd1f26d818d62314f4621a9a6c827a56309b5c5e9a09be379b903fb9265f092467d1af30b93f207dcf3d67a7b
SSDEEP

3072:adew3bgNVuQmxbONUcC4TuG55uClNOIpE+izdE1V1B3uXU6wY7es1KN6:K36VnmRO574qNOIpZqdE8wyKU

Score

10^/10

Malware Config

Targets

- Target
  
  56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0.vbs
- Size
  
  363KB
- MD5
  
  4c0d5b830080aa8b72546a6d7f924aca
- SHA1
  
  d061aa6f577e894eb58fd4bc64b366e2e7919630
- SHA256
  
  56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
- SHA512
  
  c87b174d0e027f6f85be7669e16b1430531f7880d507ebd1cec55f159fb71bf3ede586001c8a32424886e74dc3477b09d1108c133f75441575cf2d6c896d7d7d
- SSDEEP
  
  6144:1qJLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPE:4uInOi5cI5E0k
Score

10^/10

guloader lokibot collection downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2