General

  • Target

    2021TaxReturn.pdf.lnk

  • Size

    2KB

  • Sample

    230518-218z3sda5s

  • MD5

    abfb8cb663d3c83fb08a3af838397f91

  • SHA1

    50bbeaedce657d3334f7cddeef739c8057d1d0c9

  • SHA256

    44146f5f5cbcfa52f7fc379dc3e70be7d3e7b7ceeb926c1b0d135650702d6278

  • SHA512

    1c09be735db0e522a458e2781a679e0c792b307be7dfe2a4827d4434aa167c82b45b4505782fb643edb60a313b3d358f7dbc7a7b7824fc0634821569752cdfa6

Malware Config

Targets

    • Target

      2021TaxReturn.pdf.lnk

    • Size

      2KB

    • MD5

      abfb8cb663d3c83fb08a3af838397f91

    • SHA1

      50bbeaedce657d3334f7cddeef739c8057d1d0c9

    • SHA256

      44146f5f5cbcfa52f7fc379dc3e70be7d3e7b7ceeb926c1b0d135650702d6278

    • SHA512

      1c09be735db0e522a458e2781a679e0c792b307be7dfe2a4827d4434aa167c82b45b4505782fb643edb60a313b3d358f7dbc7a7b7824fc0634821569752cdfa6

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks