Overview

overview

10

Static

static

1

Document B...df.vbs

windows7-x64

10

Document B...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1586e028a5ba230eb36d3cae8bafbc5cb7632d9d8dbb3d697e082474efa53da5

  • Size

    12KB

  • Sample

    240916-qtexwazgkq

  • MD5

    5ca059586a96f76e38f7e3c8466c345d

  • SHA1

    c62f4d787d415600b9d4a88dba22838aa5dbfe61

  • SHA256

    1586e028a5ba230eb36d3cae8bafbc5cb7632d9d8dbb3d697e082474efa53da5

  • SHA512

    24491a9d8d7f327df7d7a8db70b2ce5e4cf4828b90c19ec31ab71f66b5f7337373a06cb61654b900270b494dfe4ef236af4a89c2306ec40a5afb75c86dfa2c43

  • SSDEEP

    384:hP4iZLw8+C2QF85AKg9pQ3qzsr3ldL5MF+Gz3:7w8+C2QFOaIld6h

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Targets

    • Target

      Document BT24·pdf.vbs

    • Size

      40KB

    • MD5

      4a2d0b73866679e24274e1b865076b68

    • SHA1

      27a1e7661d0ac80481d65487d800017df40fc722

    • SHA256

      72708400a35b43f411491296dd56b88c2e0db8a12038fb612ff35daf5f4bb120

    • SHA512

      1eb969f76451c9c73f805398dfc71af5a5e19c987045a3ceb3f4a04dd0383e3a007113112ad3f5e1d3cfdc75b2ee7e11ebc206a5661284babb896fef02edbb62

    • SSDEEP

      384:Z9vOg34aMEKBebLPolEhqoGEe9HwgKOATV7m8vlWfSty8itBzvSARIWg9aqbC+E:Zp346bz1nx78nF6MIWTJ

    Score
    10/10
    guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks