General
-
Target
Archive.688306047ravnr.zip
-
Size
296KB
-
Sample
230328-v4benacc43
-
MD5
844a33e0758eec85b300bd57273615f9
-
SHA1
429499a9ca3efc1b970b3e08c902c0337b56e09f
-
SHA256
210dbd36826cc7f97bfeab65600eeb0e17f377d91d7818cf9f14c1cb3677ad26
-
SHA512
495fd697e695d9a3df41d8dc6444ed5b01535e2af678f357e065e529193d71e8f524a2be3248d86e10f3309bc1dbe12ebb8444648572dcd6bad924d7ac4489fd
-
SSDEEP
6144:yUdrJ2rEcBrjFmK0Zr8NyEWNxzq+MqmVGKUqmbZG9:ptJgrhmK4AyPNo+MZQKUqmbc
Behavioral task
behavioral1
Sample
+.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
+.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Archive.688306047.vbs
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Archive.688306047.vbs
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
+
-
Size
312KB
-
MD5
087967699a792bf912341b0ad68fc4f6
-
SHA1
5b338e4ba2da5ad7806ea63eb5f5812d71f24ec4
-
SHA256
e0f97721582084108b8a84d01f04d05364bb77b2e1ac7e6e476b82fc669652b2
-
SHA512
7b3e1d9354dbece2e58f2270d61f8d67562a2aa932dc11d73c193f313819b957a9a7ed462702aa236a8c95fa8e7648746b96cae67db2a7bbc90a9ac742377540
-
SSDEEP
6144:LaVWdyzOxeA1DfdwX3MmIOkF46t2EWNxrq+MqmVGKUqmFVzioUSlptDXdq:LMROxdDfOnMmXC46gPNE+MZEKUqmFFiF
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Archive.688306047.vbs
-
Size
8KB
-
MD5
dfd1724a4e51522d244d96dd58dcd721
-
SHA1
c8affb1a38d2bebaaf5c91aec4c23f2337533fe8
-
SHA256
1111e97e61ee666ad9df5a3fe14b37eeb02355c557c2998eb220bc165c0f6f1d
-
SHA512
f086dd7609b6bca84ce4db9d547eca9b554bb8582b9004eca0797bf4f50a81414c73d10d59e752cc44db723c13ace1e8e600bcc9bb43d48a62e0e419ea121101
-
SSDEEP
96:ehSF2h2qFlO5E8WDxSAC9H0pmJdy0xjK8rq9yZ9z0tsCNNM:dFIt3XcH0pSHrq9yZ9z/CNNM
Score10/10-
Detects Grandoreiro payload
-
Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-