Overview

overview

10

Static

static

1

Solicitud ...df.vbs

windows7-x64

10

Solicitud ...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Solicitud De Presupuesto 09-16-2024·pdf.vbs

  • Size

    33KB

  • Sample

    240917-rc9xcsxbml

  • MD5

    cd0669221e6722bb84542cc73f29a482

  • SHA1

    3fdaefe57d23b8091b944a31604ad19e147a8ddf

  • SHA256

    d6c16f0698885773a3ab5c3d41f7669f6b3520822e5a998b525e38a8d9d38f74

  • SHA512

    48f1f862758fc879b5eb22d601fd1fe57af006c3b12779b86d6370b17c671375a019683abc99a60651ef44b633bb33d68f993f81026bf0df34b55d347d06f5ec

  • SSDEEP

    384:Z9vOg3vacyZnIr8hWY/NeNz7trA4qAGkespLV5SEGOiOUvT4drEhN4Q:Zp3vcWY/UzOkelSVrwD

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

Malware Config

Targets

    • Target

      Solicitud De Presupuesto 09-16-2024·pdf.vbs

    • Size

      33KB

    • MD5

      cd0669221e6722bb84542cc73f29a482

    • SHA1

      3fdaefe57d23b8091b944a31604ad19e147a8ddf

    • SHA256

      d6c16f0698885773a3ab5c3d41f7669f6b3520822e5a998b525e38a8d9d38f74

    • SHA512

      48f1f862758fc879b5eb22d601fd1fe57af006c3b12779b86d6370b17c671375a019683abc99a60651ef44b633bb33d68f993f81026bf0df34b55d347d06f5ec

    • SSDEEP

      384:Z9vOg3vacyZnIr8hWY/NeNz7trA4qAGkespLV5SEGOiOUvT4drEhN4Q:Zp3vcWY/UzOkelSVrwD

    Score
    10/10
    guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks