Overview

overview

10

Static

static

3

144540da6b...86.exe

windows7-x64

10

144540da6b...86.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c7ceecb921d43912ec928af816a43ede.bin

  • Size

    246KB

  • Sample

    240628-dmq1caxhph

  • MD5

    2ecea919d3c9a162ea592a5887e72fb9

  • SHA1

    6b5afb2e361970295fadca087dc940ca90bcca8a

  • SHA256

    1e0e3c62b986a132017f1eed4d4226de5511bdfe08124264a3b02d5098df14e1

  • SHA512

    15863b205bd4c5d3ec7b9a16e831707fd7da2ffe3662ccd1660ddacfa5db8a495d81744123cad38670d537e258e1024bef3e513844653b55bce3dbde0306f091

  • SSDEEP

    6144:ADt+XviNjaZVO73jdJIiERSs9YFH5eCIkVpQQ/XBlSUD:Ax+fiNAVOjjwiWN9YBpQQ/Rgw

Score
10/10
guloadercollectiondownloaderpersistencespywarestealer

Malware Config

Targets

    • Target

      144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

    • Size

      314KB

    • MD5

      c7ceecb921d43912ec928af816a43ede

    • SHA1

      2c4266ebdae98fc609ffb191cf26e85dc0671faa

    • SHA256

      144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86

    • SHA512

      8b4ecfc89221af3d4dde2ab7effc288f9c9ddaba764b67acbde33fbc5c19d69e16d69c40f35de74e36f4eb12bdd2ffba44b702bea9d5249476dafc7f4f389e31

    • SSDEEP

      6144:BXFKo5F4CtVeI8Y9BA6MA4ph2LN7LNNhEdMUjzz4elzC:BX54CVeI8Y9BA6uph2LN7LNNhTelO

    Score
    10/10
    guloadercollectiondownloaderpersistencespywarestealer

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      b4579bc396ace8cafd9e825ff63fe244

    • SHA1

      32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

    • SHA256

      01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

    • SHA512

      3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

    • SSDEEP

      96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks