General

  • Target

    statement_Invoices_Reference-036364-MTRY__127KB_0002637483847.vbs.zip

  • Size

    3KB

  • Sample

    230717-2c6vtafa63

  • MD5

    d3d588c8d4ab5de738a685aaf1e66e4c

  • SHA1

    d4538041c771a99057e26c04515cc96f29826c59

  • SHA256

    6b08992898504c5bdde66ecc9ab7f7056f47ecb03c6933f499ffe57ad5d7284a

  • SHA512

    f70de5c36bb7a3b8f1571307ad1b7289879ab12fa06161d04e3d4ce8d346d2a7de10c17b601eba99e9be94868ea9a89cd546c34c63c7662c76c5d2fbd6f06593

Malware Config

Targets

    • Target

      statement_Invoices_Reference-036364-MTRY__127KB_0002637483847.vbs

    • Size

      5KB

    • MD5

      ce677ec8d31b4ec16a5d5002ffa6d879

    • SHA1

      cdcd03d24a82444ad65b92b66998e73cfd7e6d86

    • SHA256

      dcd26e9ef9f50646f285a1b577e077cf2d0d33d0c7eab174034fee6f33a234d9

    • SHA512

      4d8ff9dc4291fd39a1e408afb8b76428d52a63357b4e2b8d28b408bfbefd6b62106149f714b802d58d9fa56989da024215ff721d8faa1445426401ed5a0f4f53

    • SSDEEP

      96:iZnw976Pn5oqr0GSIiC2NlDrx1gDS26xcWNGTip1b:vqFjAlXxO+S61b

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks