204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730 | Triage

Submit
Reports

Overview

overview

Static

static

8

204a8346a4...30.doc

windows7-x64

204a8346a4...30.doc

windows10-2004-x64

Sharing

General

Target

204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730.doc
Size

554KB
Sample

240512-bex3kshb2t
MD5

c7372d16dc2ed8b7a0ffa8d9f2b6b0f2
SHA1

6ed09650439538b2d76ccfc23902416c419eac63
SHA256

204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730
SHA512

7f5d34ed62f89943e7dec3f2df49d6da54fbf9f996d0d3b7554871bb5c2afc60c65830760cb866092092284a9cd38310757ff718010124edaeb07e6e464a5d16
SSDEEP

12288:qC79BbmKy2AfG3CQ7nKS9LhS8jWxZIVEs0Rk4q:qW9BbmXGj9LCxaV6q

Score

10^/10

execution macro macro_on_action spyware stealer

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730.doc

Resource

win7-20240221-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730.doc

Resource

win10v2004-20240426-en

execution spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/bao3125/ff/raw/main/Documen.zip

Targets

- Target
  
  204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730.doc
- Size
  
  554KB
- MD5
  
  c7372d16dc2ed8b7a0ffa8d9f2b6b0f2
- SHA1
  
  6ed09650439538b2d76ccfc23902416c419eac63
- SHA256
  
  204a8346a401f3101361c4571fe1c4bbedc9e54e4f5c181bb7c81cf843286730
- SHA512
  
  7f5d34ed62f89943e7dec3f2df49d6da54fbf9f996d0d3b7554871bb5c2afc60c65830760cb866092092284a9cd38310757ff718010124edaeb07e6e464a5d16
- SSDEEP
  
  12288:qC79BbmKy2AfG3CQ7nKS9LhS8jWxZIVEs0Rk4q:qW9BbmXGj9LCxaV6q
Score

10^/10

execution spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

executionspywarestealer

© 2018-2024

Terms | Privacy