guloader | 9dc109035bc4cf133bbd4ef89b110075e54d4a0920031577dc48e6c9dc41258b | Triage

Sharing

General

Target

9dc109035bc4cf133bbd4ef89b110075e54d4a0920031577dc48e6c9dc41258b
Size

4KB
Sample

240923-qbdl4axbpj
MD5

63ee4894adb2cb12591d06a43291f724
SHA1

f61321202e3b175fe1f553984b1de3fe0ea9bba9
SHA256

9dc109035bc4cf133bbd4ef89b110075e54d4a0920031577dc48e6c9dc41258b
SHA512

49342d36f582e9b0cb98a5ffd3319f9faf009b65422ac3823c41a5e2080832f73841bfd189b90c5099beccf5788fa1e1c1aad3e0b17d68a6ad88d49e9d32d7af
SSDEEP

96:Lsf9Xk2QIERLbWAOPdtRvbxRw7qztsRQeo:IVXeIERLbdmjvVRH3

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://trvtest.click/RF/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Payment23092024.hta
- Size
  
  7KB
- MD5
  
  ccd0e2738d0e4b7a59a358232d8a9044
- SHA1
  
  1cb60d8d1ba530815f233fc28d809bf884f8b4d0
- SHA256
  
  d52690951ad1a5dd386f8157684af0ce56cf54cb0d6ad936c6735371752cb4d2
- SHA512
  
  bedcc4a2dbaeea2f222216ad8496ec2eedc4d938f7050bf127c596d4e908974dfb8b5f81ad30e125a713cb702b0723e04dfa28486d71b042b2a325efde595541
- SSDEEP
  
  96:bWvaFjbF7xDH6afMy0J+U7AH/wKbSgXd6JHP+bow2GHOnVWtV3UcCzswQ8NhVeJz:+cbFdbEhAH/lf6JL3VWz38zp7Uz
Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan

behavioral2

guloaderlokibotcollectioncredential_accessdiscoverydownloaderexecutionspywarestealertrojan