General
-
Target
Desktop.rar
-
Size
1.2MB
-
Sample
240425-r1411sbf3y
-
MD5
5949c4453beb3c797b69b975108dd038
-
SHA1
8fea051115bddf3145ab931cc1b87116716b7d55
-
SHA256
101709ca246d0ef5a9dad2f4fcaadc6325f122563636e340ebe692f5c3c7f371
-
SHA512
b2c5ec567cb0706556d37c4d383f9fc07e23830c3942169e7f028faf46cb78e7c2b3bd64e228e44648aa14f285432315c7d4179f9724eef0a03b871b2ef1cfc5
-
SSDEEP
24576:BeT08n0CGcYZb11ehW1CIzWWC/NsBeNhEXaHzxf6Ay6/SMz5wvXm2+yljdVXb3m:IQ80CGcYxsLIzWWYsBHatfh/b1cmRyZa
Malware Config
Targets
-
-
Target
29d7ce5a27c3b1f26db84d5c6e0ae0899c3bf7bc1c345ac89cfb38c7e7baba53
-
Size
595KB
-
MD5
f104e0cddd5679a3ffa2a3b5ee70eefe
-
SHA1
1a2e827e24bc502f2e041c23ddf64abc438b7e77
-
SHA256
29d7ce5a27c3b1f26db84d5c6e0ae0899c3bf7bc1c345ac89cfb38c7e7baba53
-
SHA512
74f9ff60c358653ccf1f97c2a82ee59ca43685c34a67d0d9936355ec45964556336a9a034276471d85b49c802a4af3becbf9e750094c9fa8abe50f0aff15eae5
-
SSDEEP
12288:hS0bPOw7r916Bd9nBedIoomaUu56GNIZTTN6VnRMfuQnjd6j:DZ516D9n/mar56G+T4Z6fuQnjEj
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
-
-
Target
5826edef54998a8812124bbddc1942c9ff42992bdd1d5dd3395df71b7bb4c709
-
Size
8KB
-
MD5
f4bc18a7c47f962f55fae4337f58305c
-
SHA1
2d495f027d9781ad933c7a86a58291184b748249
-
SHA256
5826edef54998a8812124bbddc1942c9ff42992bdd1d5dd3395df71b7bb4c709
-
SHA512
5080847c7bfe02e9ca7f0a4f160f4b0ed595eccf74c4659215406a2e1caa4e15acec646e65bff7a561c09f9dadd24df81c2450fc2cd316835dbe81978cdd02cf
-
SSDEEP
192:1MiaSwM+kBjqYop/H+S1UjoiJG+Rhk5lUkDzZhZDUOkHZO+rTIPSotqLmsK:mi7+kHotT1aHJ9TkHUOdDnkkgTIP90s
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
AWB20240425-GW036A.vbs
-
Size
15KB
-
MD5
851a938de8e948fdc84f7c247e868307
-
SHA1
20608ab0ed33379c6aa8c122d7abd6395c773919
-
SHA256
e03a97e8a866aaacc25682c3b75ec079e33a7f86bbb1e996696e91466de2a317
-
SHA512
0b7f4309c7e52ce7b341d754574a33f307ae92ed2134851049d87d005e6711f64aa42c343643db2fe4030a536506db6a436873de21ea45f9b3b53291e9ac7988
-
SSDEEP
384:4k+zpvxiGkmL8tdmUQOoAHCBMFgZvBGZKqWjRe3ie1t:4keMJc8tPh0eK5lSz
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
7cd4bfb3b0e27989012024605cc453dbc8a226b413d84e2560ae4af70d0dc238
-
Size
550KB
-
MD5
568264350ee36fa052e450ea1abb363a
-
SHA1
085eb89757c72c855a31bb06ae64badf51a8cf54
-
SHA256
7cd4bfb3b0e27989012024605cc453dbc8a226b413d84e2560ae4af70d0dc238
-
SHA512
9788bbe3740f12ce75897b037e1a9032ec3d1bb3d66922804ce411a54ce77efc8ace343bae132bb10a5f36ec8c41402b6b440fcb7cfa170e7ce917f93c0931f6
-
SSDEEP
12288:c4gOtjAMa0XvCH43s7QcCGazY66yDZoJlu:c4v1XvCH43s7QcCGazM3
Score1/10 -
-
-
Target
bec046135e9d128cf6021e387a8d8b7aab1f703b44564b53c54e422da2cf5bbe
-
Size
411KB
-
MD5
c6cf7aa9974d5c363fa21a5d9947dec5
-
SHA1
f833a5a909b32edb3c307c8188cd9331c6abc4b2
-
SHA256
bec046135e9d128cf6021e387a8d8b7aab1f703b44564b53c54e422da2cf5bbe
-
SHA512
447d97bd04b840f381f0776de211e422d5d3e2b8bb976f043472c330e8c3d54da615190b021afe0a652f29f01daba655f9a6ad5b3decac76dce1d4ae77ea7a00
-
SSDEEP
6144:gVdvczEb7GUOpYWhNVynE/mFPEXmiEcrK6R/yAKUYxuAHQyqPOBIy/qHI:gZLolhNVyETXmb6K6RqAC5w/CI6qHI
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
bf71b1cf3516a2ad02efdda83c6f902e7139db69c1035a7e653ed09f5d27cbbc
-
Size
117KB
-
MD5
dcd9b6aa9fd9f5c3565c6d5eeeedf001
-
SHA1
e235b5e1532ab8dea0712389736124b64c3c639f
-
SHA256
bf71b1cf3516a2ad02efdda83c6f902e7139db69c1035a7e653ed09f5d27cbbc
-
SHA512
149d939a2b9c9c31a562168aa2a74302eb2251908eabda9ed99f8ab099742b181f32f494d664e5104ffdb3e8404d9a1831525ddc93a9826ac30c452c6026c820
-
SSDEEP
3072:gmzm/wcqGwew9jmuv7/P1xCYAt3VQgQrnP/:wocml/aht3uNrnP/
Score10/10-
Modifies visibility of file extensions in Explorer
-
UAC bypass
-
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
-
Size
131KB
-
MD5
c055414e00cb301e35740f3591df4ea4
-
SHA1
e221f5b1ac929c2c04a1fb9e27c6e43d030a0fbb
-
SHA256
e270915d93536de8953dcf4001c4aa95e9b3c3ead079dbde425d65e1f7237efa
-
SHA512
b7be9688a8d6ffa02b67948d4b5b2749396e26a2893ff736ea707c10ad15d8a0314b9d3dfcb1383e50e33c3d82f2e4f72afba2d6e1a3f4ec6e087ac02241ac12
-
SSDEEP
3072:1uxMFsg7SYqAnWAu95iwtLVymzq1MOggzR557/PTShlllllllYPA7Ra3Z:5lSYup9nLomzq1MOggzNPT7PKa3
Score10/10-
Modifies visibility of file extensions in Explorer
-
UAC bypass
-
Renames multiple (67) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Abuse Elevation Control Mechanism
2Bypass User Account Control
2