Overview

overview

10

Static

static

1

COMMERCIAL...df.vbs

windows7-x64

10

COMMERCIAL...df.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    COMMERCIAL INVOICE_Final.pdf.arj

  • Size

    143KB

  • Sample

    240423-k319ksfa56

  • MD5

    a86814b1919c25d0f2aa7290e548e2d7

  • SHA1

    2ced33ef22c968708ff5097d1971197889ef1cdd

  • SHA256

    647a7adb9e483de40c1621608116a8d50cb5a0622755f555d8d11ffdc4c609a2

  • SHA512

    6a2778f0ca82eac5382a838eda1fa924e5d2682ba174daea4bfdfb4b51c8de9be7705d618111d28f0f3b2e226b6de60a83795937da74fc1449da6f2664b68f6f

  • SSDEEP

    3072:fTAIPPujTvSBLwlZi9I/lhF8t72dp0E83oZG4+4zHKJHQuKQDFis:fT3PQvSB6Z4y872/0EWoZG4BbLuis

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      COMMERCIAL INVOICE_Finalpdf.vbs

    • Size

      279KB

    • MD5

      d51dd423c5f2103977df604208989252

    • SHA1

      4944a47a3a05658a7fec601bf526c7913832c587

    • SHA256

      e5ec544c99937977cbd0e3df39fcf93f234ff1855ceb23a758a98ba1dfa0c002

    • SHA512

      e91bc05bd874233aa264b244ae0ff0faa0fed6ca4161d2af89f8da4099b79c55b6837cf14416a5e1031faf80cf46b3a821803c432a5d7cc99798367509647709

    • SSDEEP

      6144:L6dAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOb987HIJFJW:WnS2ImtCo5inX

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks