Overview

overview

7

Static

static

Client.vbs

windows10-1703-x64

7

Client.vbs

windows7-x64

7

Run-VBS-1.bat

windows10-1703-x64

7

Run-VBS-1.bat

windows7-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Malware-1.zip

  • Size

    114KB

  • Sample

    221125-d4jycsce2y

  • MD5

    6887741a451647b34654f779ee36dc78

  • SHA1

    c913b2f2ce33a59a0df1f33e521f48c2cf471f48

  • SHA256

    59fbfefc50c8f11efd9765dbef3cf36f2bb1a39edd4273414906017f1c69f7f6

  • SHA512

    3cb5f6f325415e0760020516ff87f4650c3792e62f3466375e3c0a271a583f7bd9bc2ae5352785679956bc76eea83437e8eb0e1c25e9c3deff0ab764d2f6665e

  • SSDEEP

    3072:+8U9vSgI6GnQGO67dtheWlDmZbAJBMv7ZPiGV5bRrtA:pZn6AtEWA77liubvA

Score
7/10
persistence

Malware Config

Targets

    • Target

      Client.vbs

    • Size

      177KB

    • MD5

      bcfb5c05a5695508cae014e0fb254785

    • SHA1

      6cb6d497451b32d393f7b2dc1beb2b0baf80b0d3

    • SHA256

      e443da0d45d95a550c2f2637c8b7f3000aa9fef71840a4deff34333ad51d3c32

    • SHA512

      8a66382d94001e0662f63553d2fdb06335c52e37994425ad980f0c87c0f9b388635b21816dfba6542d694f5f96dc53b1666424c22f5a815c326bc5046e1c08db

    • SSDEEP

      3072:4od0wW0uWMKsiQjL7Ow0z72qo3NFOrvEFbGHTnC66xgZ7/9T/Dv5vwLI2c:bd5uWBsiQXJ0+nOQITCFOr9vSBc

    Score
    7/10
    persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Run-VBS-1.bat

    • Size

      26B

    • MD5

      b7c4c74c2be103888999b98cabe11762

    • SHA1

      72f9c3131b22688b6d9774f7d0e0bdf7af52fc1c

    • SHA256

      aec5f3164db58aad2fed2cf82f64c64053656e2e7990318711646a12ef9f5287

    • SHA512

      40d65b504b0b830fd5de0503f041d99fe0cfcecf864a8be63a7159676b29c4b535c4481dc3afa4d4c2b6f8cf7f8d453ffc2e39825953401c9aedd66e21b0f60e

    Score
    7/10
    persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks