Overview

overview

10

Static

static

1

Payment IN...df.vbs

windows7-x64

8

Payment IN...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04072024_1523_04072024_Payment INV-373728_pdf.gz

  • Size

    13KB

  • Sample

    240704-ssf5naycnl

  • MD5

    3f53bf0bed233825c9ffd41ff2368698

  • SHA1

    6cd45056d738138f6f6e01af7dfd3aef1bd4985f

  • SHA256

    6fa9dda2a50a4d62342e455cc4a843b30bf25e9f6bca23329607ed1eab36b89e

  • SHA512

    acd67a7ce56306624cc2499850f492c174105416002140f39f1cd3cf16081c050261960fa3449584517c51a3b38ab2a88d44b0674e0aba1e580a9121422c43d6

  • SSDEEP

    384:2Xwsc+PEIPEI+halF053JndHamYFbj6fWsfM:2gscQXIeF09Tamw6fK

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      Payment INV-373728_pdf.vbs

    • Size

      22KB

    • MD5

      f15820905822cf3b2f11e3c34c3ea408

    • SHA1

      1d37cfb741fc1b2fa2a47c088dc9f88edf01a501

    • SHA256

      31a6818ba439d39bdae897b77513d3a92d27bc3f93b5b1a5aaf1d77ec5e49738

    • SHA512

      4fcc64060f8b747d849f926501e17512098a6736ba23b2f3de0c4073fa76ab58f0629bf828db56c025dd3ce870c033e2db18bd12028f985c5d5921c567d17358

    • SSDEEP

      384:Ixr9nWbJlZMmn6nDz1mFYAf+dTRyIK53A5NCFm7Ar+rZsezJy7SAls1/CSAZ9TkQ:IxrYbvZMmn6DhmFYAf+dTYIKtwIslPsf

    Score
    10/10
    persistenceguloaderdownloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks