General

  • Target

    https://cdn.discordapp.com/attachments/1204641288696238120/1213402845844471848/Vanadium.zip?ex=65f55876&is=65e2e376&hm=90e65f1ed2aa52885ada3d6810dac4454bfb4ec48a2ce7bb3be756c203984031&

  • Sample

    240302-zl3teahc9v

Malware Config

Targets

    • Target

      https://cdn.discordapp.com/attachments/1204641288696238120/1213402845844471848/Vanadium.zip?ex=65f55876&is=65e2e376&hm=90e65f1ed2aa52885ada3d6810dac4454bfb4ec48a2ce7bb3be756c203984031&

    • Enumerates VirtualBox DLL files

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks