Overview

overview

10

Static

static

3

rSCAN31804.zip

windows11-21h2-x64

10

rSCAN31804.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rSCAN31804.zip

  • Size

    246KB

  • Sample

    240702-2yenfsthpf

  • MD5

    101bdb677724d86650f9782be88cc538

  • SHA1

    f7920e73b43cfcf8f3457ed1cea90d68dcfecd6d

  • SHA256

    72422ffd1c7d2f609bc487c44b6b4b022d14f27b0e7cde1cd360588da857e0cc

  • SHA512

    8c0f5d563d91a835d764607d4f05506577b011ffe857f86e0c084382325d76d7097b2db8d85b59b548403c476ae64634fc7d619660a8d57c586a22f8fe33076f

  • SSDEEP

    6144:Z+XvwDSUjdpYcBA6iA8FX2DN7LF7hUdMUjzz4elv4+kqI:ZuvwDSgbBA6YFX2DN7LF7hjelvPkqI

Score
10/10
guloadercollectiondiscoverydownloaderpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      rSCAN31804.zip

    • Size

      246KB

    • MD5

      101bdb677724d86650f9782be88cc538

    • SHA1

      f7920e73b43cfcf8f3457ed1cea90d68dcfecd6d

    • SHA256

      72422ffd1c7d2f609bc487c44b6b4b022d14f27b0e7cde1cd360588da857e0cc

    • SHA512

      8c0f5d563d91a835d764607d4f05506577b011ffe857f86e0c084382325d76d7097b2db8d85b59b548403c476ae64634fc7d619660a8d57c586a22f8fe33076f

    • SSDEEP

      6144:Z+XvwDSUjdpYcBA6iA8FX2DN7LF7hUdMUjzz4elv4+kqI:ZuvwDSgbBA6YFX2DN7LF7hjelvPkqI

    Score
    10/10
    guloadercollectiondiscoverydownloaderpersistenceprivilege_escalationspywarestealer

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      rSCAN31804.exe

    • Size

      314KB

    • MD5

      c7ceecb921d43912ec928af816a43ede

    • SHA1

      2c4266ebdae98fc609ffb191cf26e85dc0671faa

    • SHA256

      144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86

    • SHA512

      8b4ecfc89221af3d4dde2ab7effc288f9c9ddaba764b67acbde33fbc5c19d69e16d69c40f35de74e36f4eb12bdd2ffba44b702bea9d5249476dafc7f4f389e31

    • SSDEEP

      6144:BXFKo5F4CtVeI8Y9BA6MA4ph2LN7LNNhEdMUjzz4elzC:BX54CVeI8Y9BA6uph2LN7LNNhTelO

    Score
    7/10

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks