General

  • Target

    BrentFisherUSTax.pdf.lnk

  • Size

    2KB

  • Sample

    230301-1qjrrsac85

  • MD5

    cfb0a94f960a8e52c4017da1d4d12bff

  • SHA1

    33a3045df1a8306c1e46b0f5b6ad40d4547f6045

  • SHA256

    562ec1673c90fd1932f60b0f4e26e02a059347b88aa2d8fc0bddd058427d6946

  • SHA512

    4f298a350ec57fb26b810d39fbee95f26b769b7fe51c41b00d8fcd7adc661d3af1961d26bbeb2a3522df085254ca5826af1554cbe2ce8ecf3555dab6687d0c99

Malware Config

Targets

    • Target

      BrentFisherUSTax.pdf.lnk

    • Size

      2KB

    • MD5

      cfb0a94f960a8e52c4017da1d4d12bff

    • SHA1

      33a3045df1a8306c1e46b0f5b6ad40d4547f6045

    • SHA256

      562ec1673c90fd1932f60b0f4e26e02a059347b88aa2d8fc0bddd058427d6946

    • SHA512

      4f298a350ec57fb26b810d39fbee95f26b769b7fe51c41b00d8fcd7adc661d3af1961d26bbeb2a3522df085254ca5826af1554cbe2ce8ecf3555dab6687d0c99

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks