guloader | b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629 | Triage

Sharing

General

Target

b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629.vbe
Size

32KB
Sample

240918-bybzfswanc
MD5

9921d0b5bf80b63899d793f480475cbe
SHA1

424494a62902199accb548a5e071fb457817e5d7
SHA256

b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629
SHA512

cbca7093bd5f08337ea58351d2e0efe757a28736e072f9d22b32e2cfd9496efadb892ae4735d15f2918e2c89b9361094b261ea7bb73f30c64dcbdf11b277edc2
SSDEEP

384:Z9vOg3OXUAF3JEkNcwcFAMQ1NQz32dCesqQdXy/vZ5mZYOvA9N4:Zp3O73JT8m9gTZesRXkYIQ

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Targets

- Target
  
  b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629.vbe
- Size
  
  32KB
- MD5
  
  9921d0b5bf80b63899d793f480475cbe
- SHA1
  
  424494a62902199accb548a5e071fb457817e5d7
- SHA256
  
  b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629
- SHA512
  
  cbca7093bd5f08337ea58351d2e0efe757a28736e072f9d22b32e2cfd9496efadb892ae4735d15f2918e2c89b9361094b261ea7bb73f30c64dcbdf11b277edc2
- SSDEEP
  
  384:Z9vOg3OXUAF3JEkNcwcFAMQ1NQz32dCesqQdXy/vZ5mZYOvA9N4:Zp3O73JT8m9gTZesRXkYIQ
Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan