Overview

overview

10

Static

static

7

+.exe

windows7-x64

8

+.exe

windows10-2004-x64

8

Archive.688306047.vbs

windows7-x64

10

Archive.688306047.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Archive.688306047ravnr.zip

  • Size

    296KB

  • Sample

    230328-v4benacc43

  • MD5

    844a33e0758eec85b300bd57273615f9

  • SHA1

    429499a9ca3efc1b970b3e08c902c0337b56e09f

  • SHA256

    210dbd36826cc7f97bfeab65600eeb0e17f377d91d7818cf9f14c1cb3677ad26

  • SHA512

    495fd697e695d9a3df41d8dc6444ed5b01535e2af678f357e065e529193d71e8f524a2be3248d86e10f3309bc1dbe12ebb8444648572dcd6bad924d7ac4489fd

  • SSDEEP

    6144:yUdrJ2rEcBrjFmK0Zr8NyEWNxzq+MqmVGKUqmbZG9:ptJgrhmK4AyPNo+MZQKUqmbc

Score
10/10
grandoreirobankerdiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Targets

    • Target

      +

    • Size

      312KB

    • MD5

      087967699a792bf912341b0ad68fc4f6

    • SHA1

      5b338e4ba2da5ad7806ea63eb5f5812d71f24ec4

    • SHA256

      e0f97721582084108b8a84d01f04d05364bb77b2e1ac7e6e476b82fc669652b2

    • SHA512

      7b3e1d9354dbece2e58f2270d61f8d67562a2aa932dc11d73c193f313819b957a9a7ed462702aa236a8c95fa8e7648746b96cae67db2a7bbc90a9ac742377540

    • SSDEEP

      6144:LaVWdyzOxeA1DfdwX3MmIOkF46t2EWNxrq+MqmVGKUqmFVzioUSlptDXdq:LMROxdDfOnMmXC46gPNE+MZEKUqmFFiF

    Score
    8/10
    discoveryevasionspywarestealertrojanupxpersistence

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

    • Target

      Archive.688306047.vbs

    • Size

      8KB

    • MD5

      dfd1724a4e51522d244d96dd58dcd721

    • SHA1

      c8affb1a38d2bebaaf5c91aec4c23f2337533fe8

    • SHA256

      1111e97e61ee666ad9df5a3fe14b37eeb02355c557c2998eb220bc165c0f6f1d

    • SHA512

      f086dd7609b6bca84ce4db9d547eca9b554bb8582b9004eca0797bf4f50a81414c73d10d59e752cc44db723c13ace1e8e600bcc9bb43d48a62e0e419ea121101

    • SSDEEP

      96:ehSF2h2qFlO5E8WDxSAC9H0pmJdy0xjK8rq9yZ9z0tsCNNM:dFIt3XcH0pSHrq9yZ9z/CNNM

    Score
    10/10
    grandoreirobankerpersistencetrojan

    • Detects Grandoreiro payload

    • Grandoreiro

      Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.

      trojanbankergrandoreiro

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks