guloader | 72708400a35b43f411491296dd56b88c2e0db8a12038fb612ff35daf5f4bb120 | Triage

Submit
Reports

Overview

overview

Static

static

1

Document B...df.vbs

windows7-x64

Document B...df.vbs

windows10-2004-x64

Sharing

General

Target

Document BT24·pdf.vbs
Size

40KB
Sample

240916-rhvdvssamr
MD5

4a2d0b73866679e24274e1b865076b68
SHA1

27a1e7661d0ac80481d65487d800017df40fc722
SHA256

72708400a35b43f411491296dd56b88c2e0db8a12038fb612ff35daf5f4bb120
SHA512

1eb969f76451c9c73f805398dfc71af5a5e19c987045a3ceb3f4a04dd0383e3a007113112ad3f5e1d3cfdc75b2ee7e11ebc206a5661284babb896fef02edbb62
SSDEEP

384:Z9vOg34aMEKBebLPolEhqoGEe9HwgKOATV7m8vlWfSty8itBzvSARIWg9aqbC+E:Zp346bz1nx78nF6MIWTJ

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Document BT24·pdf.vbs

Resource

win7-20240708-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

Document BT24·pdf.vbs

Resource

win10v2004-20240910-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  Document BT24·pdf.vbs
- Size
  
  40KB
- MD5
  
  4a2d0b73866679e24274e1b865076b68
- SHA1
  
  27a1e7661d0ac80481d65487d800017df40fc722
- SHA256
  
  72708400a35b43f411491296dd56b88c2e0db8a12038fb612ff35daf5f4bb120
- SHA512
  
  1eb969f76451c9c73f805398dfc71af5a5e19c987045a3ceb3f4a04dd0383e3a007113112ad3f5e1d3cfdc75b2ee7e11ebc206a5661284babb896fef02edbb62
- SSDEEP
  
  384:Z9vOg34aMEKBebLPolEhqoGEe9HwgKOATV7m8vlWfSty8itBzvSARIWg9aqbC+E:Zp346bz1nx78nF6MIWTJ
Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

© 2018-2025

Terms | Privacy