guloader | ad2b8c6d46879d5c83c2a89020cf39f29f7344532b26e1ea8c91cbeb7fb3440c

Sharing

Copy URL

Twitter E-mail

General

Target

MalwareBazaar.2
Size

467KB
Sample

240801-se5k4awepl
MD5

4015f00ef3731b6caa8862aacc178f2e
SHA1

a95f1a8fef002703f6c303121c36269485cccc50
SHA256

ad2b8c6d46879d5c83c2a89020cf39f29f7344532b26e1ea8c91cbeb7fb3440c
SHA512

3f55db58dadcb4b5d46da5a515d0f37ebb6ef328f6fdd1bbcd54b922dd1ba19c110dc951cbb91a4c529a4c79f48cdcc26a40c6475de634ee42356bc1b33cbd75
SSDEEP

6144:nNoShfU3osnA2UnjCD5JnYR/Z13P4FgsLJNFRzEBsT8CCv74:naqgowbYCDUR/TP4VVNEBsLks

Score

10^/10

Malware Config

Targets

- Target
  
  MalwareBazaar.2
- Size
  
  467KB
- MD5
  
  4015f00ef3731b6caa8862aacc178f2e
- SHA1
  
  a95f1a8fef002703f6c303121c36269485cccc50
- SHA256
  
  ad2b8c6d46879d5c83c2a89020cf39f29f7344532b26e1ea8c91cbeb7fb3440c
- SHA512
  
  3f55db58dadcb4b5d46da5a515d0f37ebb6ef328f6fdd1bbcd54b922dd1ba19c110dc951cbb91a4c529a4c79f48cdcc26a40c6475de634ee42356bc1b33cbd75
- SSDEEP
  
  6144:nNoShfU3osnA2UnjCD5JnYR/Z13P4FgsLJNFRzEBsT8CCv74:naqgowbYCDUR/TP4VVNEBsLks
Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/Banner.dll
- Size
  
  4KB
- MD5
  
  843657eaf7240b695624dcf38bb0eb31
- SHA1
  
  ca99a44e737fdeaab56f864ce1ef15a57d2eec90
- SHA256
  
  b935d14c32ad8e16055f7f5794ac3411e601c5ac93155afc623f25b08e2ab82e
- SHA512
  
  7773d9f6bbd17253d1c96ce225b2f9d3673969b38177afef236d1c5d4aabaae2c07793e07c34f0281ec3b859ae955e83bfe43a598ce7cc6c893ec8c9604f5de3
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/BgImage.dll
- Size
  
  7KB
- MD5
  
  a98576f0d6b35b466cb881860977fdbc
- SHA1
  
  28b3dbbd76f15c876b98dce523100aa3256d193a
- SHA256
  
  6cc4aadae46ee3e7f39b411ba087ec29bc10aa62b6b5b44003c934b3c51cefe2
- SHA512
  
  29225bfb30e72d7d3d3571e7562b5901dbf2382af1972cc9a2be8e3bef697b9ac9e0aaac3a9bca191da827ad3cfce7f6876e8be9444663e83a7e2e86788a733c
- SSDEEP
  
  96:8e70AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk7nLiEQjJ3KxkP:tBBfjbUA/85q3wEh8uLmqLpmP
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  2c84faebfda2abe3b16fdf374df4272f
- SHA1
  
  a5b0258a94e0440aefe1ef320e62e7a9a1c8bb40
- SHA256
  
  72b38e4cca0af336655d55501c4ea05080baaa9921a62a2d717afe90bb801004
- SHA512
  
  207164cc6914c59d9f4f3b8ae97628c544093ba6ecda9f8da351f453cd97e03be7a640264b8686b2d5e6f3c787f4df1d8a1ebc8e51fd788a97460cd981cc015e
- SSDEEP
  
  96:3ip41CMj95rKhkfL5RkEdKkcxM2DjDf3GE/E9v5E9av+Yx4QndY7ndS27gA:3iujesS4HRE/K5MYxBdqn420
Score

3^/10

discovery
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Lokibot

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8