Overview

overview

10

Static

static

1

AWB2024042...6A.vbs

windows7-x64

10

AWB2024042...6A.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    25042024_2231_25042024_AWB20240425-GW036A.7z

  • Size

    8KB

  • Sample

    240425-rv3k1abe9z

  • MD5

    f4bc18a7c47f962f55fae4337f58305c

  • SHA1

    2d495f027d9781ad933c7a86a58291184b748249

  • SHA256

    5826edef54998a8812124bbddc1942c9ff42992bdd1d5dd3395df71b7bb4c709

  • SHA512

    5080847c7bfe02e9ca7f0a4f160f4b0ed595eccf74c4659215406a2e1caa4e15acec646e65bff7a561c09f9dadd24df81c2450fc2cd316835dbe81978cdd02cf

  • SSDEEP

    192:1MiaSwM+kBjqYop/H+S1UjoiJG+Rhk5lUkDzZhZDUOkHZO+rTIPSotqLmsK:mi7+kHotT1aHJ9TkHUOdDnkkgTIP90s

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      AWB20240425-GW036A.vbs

    • Size

      15KB

    • MD5

      851a938de8e948fdc84f7c247e868307

    • SHA1

      20608ab0ed33379c6aa8c122d7abd6395c773919

    • SHA256

      e03a97e8a866aaacc25682c3b75ec079e33a7f86bbb1e996696e91466de2a317

    • SHA512

      0b7f4309c7e52ce7b341d754574a33f307ae92ed2134851049d87d005e6711f64aa42c343643db2fe4030a536506db6a436873de21ea45f9b3b53291e9ac7988

    • SSDEEP

      384:4k+zpvxiGkmL8tdmUQOoAHCBMFgZvBGZKqWjRe3ie1t:4keMJc8tPh0eK5lSz

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks