guloader | 3aa15d906f530f4b50ae0ce7627da1eab22fdb6110e60af7ca85fad30c9e164d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

EX778415591042.vbs

windows7-x64

EX778415591042.vbs

windows10-2004-x64

Sharing

General

Target

18092024_1418_17092024_EX778415591042.ace
Size

5KB
Sample

240918-rmr5asvgle
MD5

975cb5f9371896d681a56b1693a320d3
SHA1

de2174b2dc391a94cd071fe9192c4244d52ef76b
SHA256

3aa15d906f530f4b50ae0ce7627da1eab22fdb6110e60af7ca85fad30c9e164d
SHA512

eabd95cce7481798ca0686fada37d957b696f7ff19179895578b6aeaada8405d9d67d38a30f5a9b3a4d821c838ea839afe52956e64f33db300cdefbdad17aaa7
SSDEEP

96:JbIoVkLvedWJFPlyeT6k+bnfEz/zr3CxLAe94m9QDA9WbRrvBK/D9zkPRHkdT71V:JkA8m+R8eP+bfi//C5Aemm2A9izAGPe/

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

EX778415591042.vbs

Resource

win7-20240903-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows7-x64

18 signatures

300 seconds

Behavioral task

behavioral2

Sample

EX778415591042.vbs

Resource

win10v2004-20240802-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows10-2004-x64

18 signatures

300 seconds

Malware Config

Targets

- Target
  
  EX778415591042.vbs
- Size
  
  10KB
- MD5
  
  e54e9c9586d6eb1b032b97f5ced77204
- SHA1
  
  d4ef79ae803dc0cbca9e180d9cf88cce6e8d08d7
- SHA256
  
  c7cc1d7877c14667c21c56547ad84a8cd7d8def57789911a559d2a28399ae43b
- SHA512
  
  7030de2b60b1cdb73bde04d83824de14c434828e050ba92e4d55a7f757453fb2567feed781cb6320b10cded7cb6630627540c2f8b8f941ce0ec039f539fd7400
- SSDEEP
  
  192:PxDz2esQhSJLqvYLHHCsm1Bls6Vz06Clv5eVQzN8bzUik4JO7qI7m+:JJtSqqnHGDNCv5RzN8bzUiDJel1
Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

© 2018-2025

Terms | Privacy