guloader | d52690951ad1a5dd386f8157684af0ce56cf54cb0d6ad936c6735371752cb4d2 | Triage

Sharing

General

Target

d52690951ad1a5dd386f8157684af0ce56cf54cb0d6ad936c6735371752cb4d2.hta
Size

7KB
Sample

240925-c21mnazepl
MD5

ccd0e2738d0e4b7a59a358232d8a9044
SHA1

1cb60d8d1ba530815f233fc28d809bf884f8b4d0
SHA256

d52690951ad1a5dd386f8157684af0ce56cf54cb0d6ad936c6735371752cb4d2
SHA512

bedcc4a2dbaeea2f222216ad8496ec2eedc4d938f7050bf127c596d4e908974dfb8b5f81ad30e125a713cb702b0723e04dfa28486d71b042b2a325efde595541
SSDEEP

96:bWvaFjbF7xDH6afMy0J+U7AH/wKbSgXd6JHP+bow2GHOnVWtV3UcCzswQ8NhVeJz:+cbFdbEhAH/lf6JL3VWz38zp7Uz

Score

10^/10

guloader lokibot collection discovery downloader execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://trvtest.click/RF/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  d52690951ad1a5dd386f8157684af0ce56cf54cb0d6ad936c6735371752cb4d2.hta
- Size
  
  7KB
- MD5
  
  ccd0e2738d0e4b7a59a358232d8a9044
- SHA1
  
  1cb60d8d1ba530815f233fc28d809bf884f8b4d0
- SHA256
  
  d52690951ad1a5dd386f8157684af0ce56cf54cb0d6ad936c6735371752cb4d2
- SHA512
  
  bedcc4a2dbaeea2f222216ad8496ec2eedc4d938f7050bf127c596d4e908974dfb8b5f81ad30e125a713cb702b0723e04dfa28486d71b042b2a325efde595541
- SSDEEP
  
  96:bWvaFjbF7xDH6afMy0J+U7AH/wKbSgXd6JHP+bow2GHOnVWtV3UcCzswQ8NhVeJz:+cbFdbEhAH/lf6JL3VWz38zp7Uz
Score

10^/10

guloader lokibot collection discovery downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectiondiscoverydownloaderexecutionspywarestealertrojan

behavioral2

guloaderlokibotcollectiondiscoverydownloaderexecutionspywarestealertrojan