General

  • Target

    IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbs

  • Size

    724KB

  • Sample

    240518-w8ehjshd2s

  • MD5

    8a9e78bb8236c5f5d99e6f93be86115a

  • SHA1

    079265e295095e6626324c45b3a6362b804cd119

  • SHA256

    7af58069fd2ceb8da1a60644649787b738b2d41ef32a385f1e1e8711bfba0b7b

  • SHA512

    cc4d362d67f0eee74f8f035bc3d3db10455695db819ce3bb782ef6ac2a795cd389a0db56b5d53126826a7fa4bf62edb54a66eabe1c60c32b11b4ba5b628ae01e

  • SSDEEP

    6144:AsyS5Hz0L9jTGquGSqCG2NPnbY/0M7xxMldTSsp3vraSEPW/snrOLNC51gdQl7VD:gCRT+WPxm3pfqiMwc/MVqAd+27

Malware Config

Targets

    • Target

      IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbs

    • Size

      724KB

    • MD5

      8a9e78bb8236c5f5d99e6f93be86115a

    • SHA1

      079265e295095e6626324c45b3a6362b804cd119

    • SHA256

      7af58069fd2ceb8da1a60644649787b738b2d41ef32a385f1e1e8711bfba0b7b

    • SHA512

      cc4d362d67f0eee74f8f035bc3d3db10455695db819ce3bb782ef6ac2a795cd389a0db56b5d53126826a7fa4bf62edb54a66eabe1c60c32b11b4ba5b628ae01e

    • SSDEEP

      6144:AsyS5Hz0L9jTGquGSqCG2NPnbY/0M7xxMldTSsp3vraSEPW/snrOLNC51gdQl7VD:gCRT+WPxm3pfqiMwc/MVqAd+27

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks