guloader | 26ad5c1f3bd915409f7abcda1982dd502be0fc13e4b654f8b1c077a60d97b58e | Triage

Sharing

General

Target

19092024_0652_Request for budget 09-17-2024�pdf.vbs.zip
Size

11KB
Sample

240919-hncasswejk
MD5

331cd05583ff2a913d22d419b9c5fd2c
SHA1

f98feba538efd765caf57032abaf9795e8e5563e
SHA256

26ad5c1f3bd915409f7abcda1982dd502be0fc13e4b654f8b1c077a60d97b58e
SHA512

4cf74f3014519d4f761ab68d818bf6c6ac9676f10279048218ad614f5bb0862afbd4a0ade42d15b4a8951506ef239f2e60a312ac9a7e745c63e99d8c2e38d4f5
SSDEEP

192:+NFsJM+EX0y6vh1+Lpgot2PtrwLNRQ1GQeSJocw9k2eM5tKCzNEFIjpOE11uQ8wy:+bsJMvX960GtCRQ1GNSkEMbKGNJP14Qc

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Targets

- Target
  
  Request for budget 09-17-2024·pdf.vbs
- Size
  
  41KB
- MD5
  
  a9e7ff05c4fa8bf06479b824d0340b42
- SHA1
  
  73f218ddf92c79fce8c09638501a7610ffa6d650
- SHA256
  
  983e0421cd309bd8732a52aa652720cfb796b11e61f3bf4ba0db1fe405b82a92
- SHA512
  
  f42991287e5b395549ea8f65cbcb7747607fdd1550433c494a10d291c9aa1960e6907db08ecc6a8dfacaf3aded63d654268c1e2fee21984c74a591256970e8cd
- SSDEEP
  
  384:Z9vOg30sUqXgcAT0179dzJTAtKdkWIinkc0MyXgve7r87qUF8S09:Zp30wgcAAZ/zQxf/rYG
Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan