guloader | 1b9c6deba727562229d8b79852671684b92a45d6b27690ad4bf0fe73e5bb2d9f | Triage

Submit
Reports

Overview

overview

Static

static

1

331a07b5bb...25.exe

windows7-x64

331a07b5bb...25.exe

windows10-2004-x64

8

Sharing

General

Target

afc2cf9b291ca4fc649575f1efe5f1cb.bin
Size

557KB
Sample

240622-dzykyswbjh
MD5

aa85d5664b04c904de481619f2393029
SHA1

da99440d1fdd0f0abf05a92bc1153286caa28902
SHA256

1b9c6deba727562229d8b79852671684b92a45d6b27690ad4bf0fe73e5bb2d9f
SHA512

104f41869028db13578a01e2ae0c80f0dac8bcf565823916d2c401804f36183eb491c8222715ab08ac2ba417680fe4ab23af20ed7864a08576bbdb13f4d534f4
SSDEEP

12288:nsF3YJ6mCbizZ8F/+cnDxMIjOHHRGvRB1X8BvuEp7Eml0l6j:saJeGzZ85+cDWIjOwv/6xES0l0

Score

10^/10

guloader lokibot collection downloader execution spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

331a07b5bb8e8e5182c7db012d7471bced3bd83142be852b44e26c807d0b8d25.exe

Resource

win7-20240611-en

guloader lokibot collection downloader execution spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

331a07b5bb8e8e5182c7db012d7471bced3bd83142be852b44e26c807d0b8d25.exe

Resource

win10v2004-20240611-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Targets

- Target
  
  331a07b5bb8e8e5182c7db012d7471bced3bd83142be852b44e26c807d0b8d25.exe
- Size
  
  677KB
- MD5
  
  afc2cf9b291ca4fc649575f1efe5f1cb
- SHA1
  
  2398c35747669b1b83b5b965c1bff80c0f3183bc
- SHA256
  
  331a07b5bb8e8e5182c7db012d7471bced3bd83142be852b44e26c807d0b8d25
- SHA512
  
  aabbc68847a73856d8e8a902f7f6c9eddb7bbf1757875c7177e6e45a5de710a806a92233a2b29b25119962a70d8309027527faecf51acd0ace7985110487fd9f
- SSDEEP
  
  12288:ctnsok3P8bkkSrN7VJmKgcbiAtG6kT6KOuijXMJjTI3EWc2:Gk/FBrN7VJmKDiAt2HToe9
Score

10^/10

guloader lokibot collection downloader execution spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloaderlokibotcollectiondownloaderexecutionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy