guloader | e2fda069aeb3745872935ff4b9ed64ce7f40cae6b6b57a7f4bfb37a01d9178b1 | Triage

Sharing

General

Target

e2fda069aeb3745872935ff4b9ed64ce7f40cae6b6b57a7f4bfb37a01d9178b1
Size

7KB
Sample

240905-vsw7zsweqf
MD5

723338c189a4c4ebd80559bc394f39b6
SHA1

b2b8a82f00027528e1ca25f0e5dc36d9d066064f
SHA256

e2fda069aeb3745872935ff4b9ed64ce7f40cae6b6b57a7f4bfb37a01d9178b1
SHA512

208b516aea8c4eebbf951ebf8d889f3e8414bf917e195142fd312b25425221945a0c7c70c7aee3a89bd18c7c210a9281e8810a227b279cb0f1e5aed8b7aa4a8f
SSDEEP

192:BghB08+khrmgIxp6Zh03CIDs/La/TYz6rxoCB:BghB08+ChIOs3Ca2/ISCB

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Targets

- Target
  
  BUDGET REQUEST (University of Brasilia) 05-09-2024.vbe
- Size
  
  25KB
- MD5
  
  3ccecc201a02a447e202b789225d485a
- SHA1
  
  3f862aa3bd5a63377d92bda94fde52fb6117787f
- SHA256
  
  5818ebc075a84b23c0e75e871bd910fa656d9f5e39f96a9e23ff15d10b4b1fad
- SHA512
  
  5ca42afdc12633066081134fcaea9a5fec2f4095997a62b1a80e1b7bcefa0eec1a6bc57f1f1d26907ddb3ebf5831a92fe0b64d7a4fb8620caaf7b36dbd8e29e0
- SSDEEP
  
  384:Vwm8rpPNSoc8/zHXzM18KL20GrPWRIdbiKiz:58C6D2Er2ozY
Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan