Overview

overview

10

Static

static

1

BL-RTM1439068.vbs

windows7-x64

10

BL-RTM1439068.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BL-RTM1439068.vbs

  • Size

    9KB

  • Sample

    240624-tb73gszgnc

  • MD5

    f369abd236c71d5b1c89e2c7a2304548

  • SHA1

    c0913ba6a19b4e136e76b07452ec400cf3870405

  • SHA256

    a14d83525d5d0c6942f1c2b0f6998acddf472655d0f998b9614d2a70b8df54af

  • SHA512

    0faf0fb26fbfd93c5cff91700f52c4d07124a212274e5e3cd5e6793a50d14b3519a365e2ce2715bfc5bc1ba9f19db585ba507e3a844d617310ca85339cf88305

  • SSDEEP

    192:Gdnx4g3W2CfJysndF8+htnG/r9Tft+3k6xjlsbdWuHITjGaW/OqlDoUslStBGfX:TFgCwwAT9Tok6EmUOqJYl6BGfX

Score
10/10
guloadercollectiondownloaderexecutionpersistence

Malware Config

Targets

    • Target

      BL-RTM1439068.vbs

    • Size

      9KB

    • MD5

      f369abd236c71d5b1c89e2c7a2304548

    • SHA1

      c0913ba6a19b4e136e76b07452ec400cf3870405

    • SHA256

      a14d83525d5d0c6942f1c2b0f6998acddf472655d0f998b9614d2a70b8df54af

    • SHA512

      0faf0fb26fbfd93c5cff91700f52c4d07124a212274e5e3cd5e6793a50d14b3519a365e2ce2715bfc5bc1ba9f19db585ba507e3a844d617310ca85339cf88305

    • SSDEEP

      192:Gdnx4g3W2CfJysndF8+htnG/r9Tft+3k6xjlsbdWuHITjGaW/OqlDoUslStBGfX:TFgCwwAT9Tok6EmUOqJYl6BGfX

    Score
    10/10
    guloaderdownloaderexecutionpersistencecollection

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks