Overview

overview

10

Static

static

1

dhl_doc_aw...24.vbs

windows7-x64

10

dhl_doc_aw...24.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbs

  • Size

    42KB

  • Sample

    240418-xqw6bacb46

  • MD5

    5734e6a07be159df58b947596cad09dd

  • SHA1

    ee9358bab004d5c4e986172bbd0e1af6c85f6663

  • SHA256

    7f5ffd39a86f314a261131081bc9557a9f755222ac164bef9a2ee32a6c7b6cd3

  • SHA512

    bc420981fe9dbccc9ff71526794c186bbbcd13043bde99710db41f87eddd40ddb35b8c7606afff3634dea3ac1f0ae53b5e6667f44e0e5c64c88c752f4b1ab3ab

  • SSDEEP

    768:la5Mt7HMMhtM029ceFAyg0od10q1ZsaaNWVr96XtlyE:lLtFh1DeFAH0ofxKkWtl3

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbs

    • Size

      42KB

    • MD5

      5734e6a07be159df58b947596cad09dd

    • SHA1

      ee9358bab004d5c4e986172bbd0e1af6c85f6663

    • SHA256

      7f5ffd39a86f314a261131081bc9557a9f755222ac164bef9a2ee32a6c7b6cd3

    • SHA512

      bc420981fe9dbccc9ff71526794c186bbbcd13043bde99710db41f87eddd40ddb35b8c7606afff3634dea3ac1f0ae53b5e6667f44e0e5c64c88c752f4b1ab3ab

    • SSDEEP

      768:la5Mt7HMMhtM029ceFAyg0od10q1ZsaaNWVr96XtlyE:lLtFh1DeFAH0ofxKkWtl3

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks