guloader | eed0935d0176fbb012006f4e41de769a2ef84fcb092f06b62be7ceb250d895d9 | Triage

Submit
Reports

Overview

overview

Static

static

1

Happy Fies...df.vbs

windows7-x64

Happy Fies...df.vbs

windows10-2004-x64

Sharing

General

Target

Happy Fiestas Patrias·pdf.vbs
Size

30KB
Sample

240925-hdgsjazhmk
MD5

a08909dd22f1ef8eee277b3f178a65bd
SHA1

30d67f8107a95d9a779aa010268421d3ecddb611
SHA256

eed0935d0176fbb012006f4e41de769a2ef84fcb092f06b62be7ceb250d895d9
SHA512

45c195eca97a2daefd2b245548f408c5c67c991f2adcd2d08520baafd3f9e99984cab3cff52c6cdd179b314963f069ed134e32c9827a3fdf6609288ed4d9f50e
SSDEEP

768:hXwI+o49dnoX82Q/YoTprXzNQvD3L8LbEjWI:SI+5LX2NoTdq83EyI

Score

10^/10

guloader lokibot collection discovery downloader execution spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Happy Fiestas Patrias·pdf.vbs

Resource

win7-20240903-en

guloader lokibot collection discovery downloader execution spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Happy Fiestas Patrias·pdf.vbs

Resource

win10v2004-20240802-en

guloader lokibot collection discovery downloader execution spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  Happy Fiestas Patrias·pdf.vbs
- Size
  
  30KB
- MD5
  
  a08909dd22f1ef8eee277b3f178a65bd
- SHA1
  
  30d67f8107a95d9a779aa010268421d3ecddb611
- SHA256
  
  eed0935d0176fbb012006f4e41de769a2ef84fcb092f06b62be7ceb250d895d9
- SHA512
  
  45c195eca97a2daefd2b245548f408c5c67c991f2adcd2d08520baafd3f9e99984cab3cff52c6cdd179b314963f069ed134e32c9827a3fdf6609288ed4d9f50e
- SSDEEP
  
  768:hXwI+o49dnoX82Q/YoTprXzNQvD3L8LbEjWI:SI+5LX2NoTdq83EyI
Score

10^/10

guloader lokibot collection discovery downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Time Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderlokibotcollectiondiscoverydownloaderexecutionspywarestealertrojan

behavioral2

guloaderlokibotcollectiondiscoverydownloaderexecutionspywarestealertrojan

© 2018-2025

Terms | Privacy