Overview

overview

10

Static

static

1

bde3493e67...a3.vbs

windows7-x64

3

bde3493e67...a3.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af8e905368962cfb4873c41a77b4515c.bin

  • Size

    12KB

  • Sample

    240703-djfefathpc

  • MD5

    a2afd9e3d91f4396c362cf90fa341393

  • SHA1

    093f28ad3cf1f42d66b28cb79042bbed6a608cb8

  • SHA256

    02ee6a0fb75133dfa9169d50379a9a770185ca5c27c068ff71a5652e2d39d13e

  • SHA512

    2f216a9f670c1aa6bc4d0b5ca67ec3f756cedfa3ebbf46514fa232ba4a6646e247836958860b70505c286d27fdb68b6e6778d95ecd1d1f74b2d1532bf9a0da37

  • SSDEEP

    192:Ys/ssOeECmpkOUxlFhA+ssLa1vlq+qRrtAbvl1EvCrWV4kwoNzjb4PRPA:Ys6eK5erLmc+/p1uCWvdT4dA

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Targets

    • Target

      bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3.vbs

    • Size

      22KB

    • MD5

      af8e905368962cfb4873c41a77b4515c

    • SHA1

      577337de5d106e6b11225be7c362f33a8d5c0831

    • SHA256

      bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3

    • SHA512

      8fca68d732a9db1a4a6d9b955a361a5bd37bdd7c994e9094b31799cc7c4c6448fc620d2bf8928532a261680c78e8e138f0b960d9fa630dfc0b4e51c7e756a9c2

    • SSDEEP

      384:KlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwfEa+MCq22HX:6zSR022X/523S0e8xPPmra+Mq01N

    Score
    10/10
    guloadercollectiondownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks