guloader | c7cc1d7877c14667c21c56547ad84a8cd7d8def57789911a559d2a28399ae43b | Triage

Submit
Reports

Overview

overview

Static

static

1

EX778415591042.vbs

windows7-x64

EX778415591042.vbs

windows10-2004-x64

Sharing

General

Target

EX778415591042.vbs
Size

10KB
Sample

240922-fy99gatdld
MD5

e54e9c9586d6eb1b032b97f5ced77204
SHA1

d4ef79ae803dc0cbca9e180d9cf88cce6e8d08d7
SHA256

c7cc1d7877c14667c21c56547ad84a8cd7d8def57789911a559d2a28399ae43b
SHA512

7030de2b60b1cdb73bde04d83824de14c434828e050ba92e4d55a7f757453fb2567feed781cb6320b10cded7cb6630627540c2f8b8f941ce0ec039f539fd7400
SSDEEP

192:PxDz2esQhSJLqvYLHHCsm1Bls6Vz06Clv5eVQzN8bzUik4JO7qI7m+:JJtSqqnHGDNCv5RzN8bzUiDJel1

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

EX778415591042.vbs

Resource

win7-20240903-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

EX778415591042.vbs

Resource

win10v2004-20240802-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  EX778415591042.vbs
- Size
  
  10KB
- MD5
  
  e54e9c9586d6eb1b032b97f5ced77204
- SHA1
  
  d4ef79ae803dc0cbca9e180d9cf88cce6e8d08d7
- SHA256
  
  c7cc1d7877c14667c21c56547ad84a8cd7d8def57789911a559d2a28399ae43b
- SHA512
  
  7030de2b60b1cdb73bde04d83824de14c434828e050ba92e4d55a7f757453fb2567feed781cb6320b10cded7cb6630627540c2f8b8f941ce0ec039f539fd7400
- SSDEEP
  
  192:PxDz2esQhSJLqvYLHHCsm1Bls6Vz06Clv5eVQzN8bzUik4JO7qI7m+:JJtSqqnHGDNCv5RzN8bzUiDJel1
Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

© 2018-2025

Terms | Privacy