guloader | 7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c | Triage

Submit
Reports

Overview

overview

Static

static

1

WNIOSEK BU...df.vbs

windows7-x64

WNIOSEK BU...df.vbs

windows10-2004-x64

Sharing

General

Target

WNIOSEK BUDŻETOWY 09-18-2024·pdf.vbs
Size

32KB
Sample

240922-fzvv6stcmk
MD5

efc01dc5a4acefe058450f0dee1c1e9d
SHA1

f6244111b8588a7105124c4f4c40f6caa2bffa28
SHA256

7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c
SHA512

eab5f2a42206d42628ab77d566b7394e6dafbb785b5cfd3abc357c5eed4dfce501246246e67ffa0e4389c974ccf60dda598f64a3277925cca74fb0611505ea4d
SSDEEP

384:Z9vOg3F19w8sNthahA0ZvF+io9vUErJHyvRe1P93fvTnm:Zp3F1qt0qA/oZJce1VHTm

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

WNIOSEK BUDŻETOWY 09-18-2024·pdf.vbs

Resource

win7-20240903-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

WNIOSEK BUDŻETOWY 09-18-2024·pdf.vbs

Resource

win10v2004-20240802-en

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  WNIOSEK BUDŻETOWY 09-18-2024·pdf.vbs
- Size
  
  32KB
- MD5
  
  efc01dc5a4acefe058450f0dee1c1e9d
- SHA1
  
  f6244111b8588a7105124c4f4c40f6caa2bffa28
- SHA256
  
  7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c
- SHA512
  
  eab5f2a42206d42628ab77d566b7394e6dafbb785b5cfd3abc357c5eed4dfce501246246e67ffa0e4389c974ccf60dda598f64a3277925cca74fb0611505ea4d
- SSDEEP
  
  384:Z9vOg3F19w8sNthahA0ZvF+io9vUErJHyvRe1P93fvTnm:Zp3F1qt0qA/oZJce1VHTm
Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

© 2018-2025

Terms | Privacy