Overview

overview

10

Static

static

3

546F9B0627...4B.exe

windows7-x64

10

546F9B0627...4B.exe

windows10-2004-x64

3

Amortissem...gy.ps1

windows7-x64

8

Amortissem...gy.ps1

windows10-2004-x64

8

Bgerglas/A...er.dal

windows7-x64

3

Bgerglas/A...er.dal

windows10-2004-x64

3

Femoral.tar

windows7-x64

3

Femoral.tar

windows10-2004-x64

3

Spiseske/I...nt.txt

windows7-x64

1

Spiseske/I...nt.txt

windows10-2004-x64

1

Spiseske/I...et.byl

windows7-x64

3

Spiseske/I...et.byl

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    546F9B0627BA8679B8E9610BC1D7E24B.exe

  • Size

    689KB

  • Sample

    240424-w8dw1sfb23

  • MD5

    546f9b0627ba8679b8e9610bc1d7e24b

  • SHA1

    46192bc20df587e4ac55db8bce83e24dd3a1ba40

  • SHA256

    1ac701f312d9e8422f4cdb3d527405a269c25ec0f28ef614080ce98dd9480128

  • SHA512

    01876f5f66d9e277ff72596318f4170c84178dda783a98b3dd9c2fdd5fc0c925790ef32f36a1ef8e0af738b5b4761413eb2023e572b116ecd4f9688eb488672d

  • SSDEEP

    12288:60oU0UEneHuDY7nCkEPaT24WxsdUSFbE27UwvfGF9oZFuh9K35:mxneHuDYukEPAWxsWSFbXzveF9orzJ

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      546F9B0627BA8679B8E9610BC1D7E24B.exe

    • Size

      689KB

    • MD5

      546f9b0627ba8679b8e9610bc1d7e24b

    • SHA1

      46192bc20df587e4ac55db8bce83e24dd3a1ba40

    • SHA256

      1ac701f312d9e8422f4cdb3d527405a269c25ec0f28ef614080ce98dd9480128

    • SHA512

      01876f5f66d9e277ff72596318f4170c84178dda783a98b3dd9c2fdd5fc0c925790ef32f36a1ef8e0af738b5b4761413eb2023e572b116ecd4f9688eb488672d

    • SSDEEP

      12288:60oU0UEneHuDY7nCkEPaT24WxsdUSFbE27UwvfGF9oZFuh9K35:mxneHuDYukEPAWxsWSFbXzveF9orzJ

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Amortissement/Blokdiagrammets/Superline/Elogy.chi

    • Size

      55KB

    • MD5

      2b73e0d24d799259480051998efba53e

    • SHA1

      fe97fa385a6b05cd610326714057ea525cee290c

    • SHA256

      ed906e2d74ae966bee4d6df8643d016cbb29c15bfce975e2d50334ecf9a4ac07

    • SHA512

      a07f4e7fa1f3982f602f4d36664824e5e8905a7299b6ebfa455b1d03c320efd213f9386da6a79aac67ea8b489514279ef372a43c8fe934d0995e8b7140c22430

    • SSDEEP

      768:qNowTSDmiDAEbVGfJQeVgeLkul6uMF+2cuLPkvGLho56+9RI380vna3JZdVD6k8j:qmwTG5D9bEWqgUkkd1vse/9x0/GdVK

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      Bgerglas/Abcissa/forberedelseseksaminer.dal

    • Size

      2KB

    • MD5

      1d16e298bf5135909283e47166048b0f

    • SHA1

      45de2032ad009d9d9a485f7b22fee5f0d11d6626

    • SHA256

      9bfcbdc740ab58df13cd9dbfa153f6765a05e9f699606f63fad7f13c4dbe8af9

    • SHA512

      971b8794d1f7acdac67125aa7c1ac51bb7a68494e10a84f3250378ce691996f0438f9beee81644f6f4168e73624f6c6d01acf0c4b4f12ec3fd8dc875fb8ea319

    Score
    3/10
    behavioral5behavioral6

    • Target

      Femoral.Tar

    • Size

      302KB

    • MD5

      2e7cf94619b29db1ee66cb7ad3b73e31

    • SHA1

      d07eac327a721a07c3f79de6850f5a1b039f37d6

    • SHA256

      69e737b3d045f74bd2afb7231f722c979936a9ecdd27abd007ff0b76be3d46f5

    • SHA512

      fd6bcacc56ba9572c5ba402e900cef7c461f47fb44a613f59ccf528793fdaa00b518b03daea1c8bfc4e96e1964e571a6fd6295bf73b46c37a80b01273871080e

    • SSDEEP

      6144:Q1aF84Jvxm32d5WIjO7aMLPWZSzr0at9bTbAh4epn+AF:uaF16mWzaMDzr9bbHAhXH

    Score
    3/10
    behavioral7behavioral8

    • Target

      Spiseske/Interwovenly/Pear/Italically120/Ljtnant.txt

    • Size

      390B

    • MD5

      e3cce4f874ce2c0b4504206ae7697fe3

    • SHA1

      b9f3300f23d9f8984a08e59bebd2df5909d38af3

    • SHA256

      5739bf36f5bf9892b751272cb5a448f1ecd50d319951dcb03238bfedc7a3ad52

    • SHA512

      ed94762488119a612656fce29e95b5b532cae6b10315be14ff525031a2506c074741d2eafca6980caeba56d87a21c707fbb18929cd579363c80526d7abe5f52e

    Score
    1/10
    behavioral10behavioral9

    • Target

      Spiseske/Interwovenly/Pear/Italically120/bureaukratiseret.byl

    • Size

      2KB

    • MD5

      82ea6f63b380fb0789e644d4925e3761

    • SHA1

      69389d1c3cfd1996fe852427c16f25c7c48387d8

    • SHA256

      ab7159ac96d37b489637df6cf56d3c4cbaad43991660b0ae3afa4cb5dbd9c9dc

    • SHA512

      033a58e57a5c0ba00cecfd60b9eee3c36ae8a14f791574366d532c428f3b81ae863e215174f1e0e3710d576f4faa546186ad16dd0f795b92c1eb3074090950ee

    Score
    3/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

6
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks