Overview

overview

10

Static

static

1

Carlispa_O...17.vbs

windows7-x64

10

Carlispa_O...17.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c3db7d3d072707e609209a6e1bf54b830a0db37145d088a28894c0458564595.iso

  • Size

    248KB

  • Sample

    240418-bhl5gsfh7t

  • MD5

    a1369541890d9ce089123c0c9dcadd2a

  • SHA1

    b0fe01cb16cebb85a997d84240dc60a3e7a0beb9

  • SHA256

    1c3db7d3d072707e609209a6e1bf54b830a0db37145d088a28894c0458564595

  • SHA512

    43c02fa5d03660f93c01758ff008a0e5bb47d9505a409c054bb85648c180c7321ee2926f1a797b2d0156088e1e1dbf80537d48e37bd08105593b46bf9afbf558

  • SSDEEP

    6144:GrR8ccABOwbDA2zJETxVu1vH/rsqfXB2moC:Ocyoq

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      Carlispa_Ordine_00401702400417.vbs

    • Size

      187KB

    • MD5

      947d8500e25de01d02c5dc254d67c248

    • SHA1

      c073a8f64f2cbb46a1ea768b8c701d17a413b984

    • SHA256

      fbd7521613eeda606382f56a500c5015af001af819556b056bd1ef076820e297

    • SHA512

      fa53189ba4094b1af7a514acf85f832fe51ea2714afb4adea87193ead46c0e01c78f76ccfd342db58bddb45be237bf7d03326194553243d3085488b026294669

    • SSDEEP

      3072:2+w8jqrKK8ccABOwbDS2y2zJETxUuoHh36wH/OLxCxTwvNPapsCRXBDo5mFSartr:GrR8ccABOwbDA2zJETxVu1vH/rsqfXB7

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks