Overview

overview

10

Static

static

1

BID REQUES...df.vbs

windows7-x64

10

BID REQUES...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68

  • Size

    9KB

  • Sample

    240909-x9dhbaxhld

  • MD5

    8eab71087f1ab6f723b2eeb75448e0e2

  • SHA1

    793d1dd47f40b0a5a75a41ebbef48c01b90b1cf8

  • SHA256

    56477d17f71d7e5912340580f96f8df535b19eb9cb96da14ccf741bcd465ee68

  • SHA512

    3c97977c9b3ce85f3bb059ff9668cc51fefebeadd68780b52b0256f4c0fe4d8fbcd60e2be6db0c607632b29bee7d2cd50dab3732e718a06c26a890894a4cbae8

  • SSDEEP

    192:hJTqg0BG7a1NZdmZ/yw5NaoQdIuOTQmolN8M7bDtiGKIV+nY7:hpqVBG7a545TPaoNdGfV9uIV+6

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Targets

    • Target

      BID REQUEST 09-09-2024·pdf.vbs

    • Size

      28KB

    • MD5

      3cc67d448a578ff541499696264c340a

    • SHA1

      7bac2915c8f873a8f27c40ba197854ab0417b4e3

    • SHA256

      c26253cd77cc444cdbf4d0cb2abb2aab166485f749777677ea749d4f850fc859

    • SHA512

      74adc64258c27028ca5c340cb1a2323a88c887d43310feef908bcbb59c80d055173fa747db0349c939c386f0dba3fd0cb40754092eee1c46a75375d011cb0664

    • SSDEEP

      384:1qh1bFGXrSOQ6aY2/w1MpmQkH13hhX7wc:1qhtkrPfaY2/w1MpzkVxhLH

    Score
    10/10
    guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks