Overview

overview

10

Static

static

3

Quote Requ...df.exe

windows7-x64

10

Quote Requ...df.exe

windows10-2004-x64

10

Resubmissions

01-07-2024 16:13

240701-tpeyvsscpp 10

01-07-2024 16:06

240701-tkj21ssckp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quote Request (Tupy S.A.) 523AM - 924BR·pdf.exe

  • Size

    648KB

  • Sample

    240701-tpeyvsscpp

  • MD5

    93a658e985408e0538044b8b91a2729c

  • SHA1

    c1f250915cb43fc6a46d29dc28a1f09881fe0ded

  • SHA256

    1789a36b829cd09dc4fd24323a0d1bb900494714b4cc7083af651630f2c42d2f

  • SHA512

    5337c140a778e4ababf7dd82fcd280feb2a7e9e9db981c7fed1fff9c0ea8d562afe71992aa054e98ba9c715f0bea48d939f98b171110a7aaffcd372d23e2816e

  • SSDEEP

    12288:zsB4GOFuvCfdDrklbm9QfwYUcTWQ5xQryR2:I4GOFCCFf4m9ESQWQDQ2Q

Score
10/10
guloaderlokibotcollectiondownloaderexecutionspywarestealertrojan

Malware Config

Targets

    • Target

      Quote Request (Tupy S.A.) 523AM - 924BR·pdf.exe

    • Size

      648KB

    • MD5

      93a658e985408e0538044b8b91a2729c

    • SHA1

      c1f250915cb43fc6a46d29dc28a1f09881fe0ded

    • SHA256

      1789a36b829cd09dc4fd24323a0d1bb900494714b4cc7083af651630f2c42d2f

    • SHA512

      5337c140a778e4ababf7dd82fcd280feb2a7e9e9db981c7fed1fff9c0ea8d562afe71992aa054e98ba9c715f0bea48d939f98b171110a7aaffcd372d23e2816e

    • SSDEEP

      12288:zsB4GOFuvCfdDrklbm9QfwYUcTWQ5xQryR2:I4GOFCCFf4m9ESQWQDQ2Q

    Score
    10/10
    guloaderlokibotcollectiondownloaderexecutionspywarestealertrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks