Resubmissions

20-05-2024 12:26

240520-pmah5sbe2w 10

20-05-2024 12:25

240520-plsckaag66 8

General

  • Target

    88c628c6d4b0fae9daf269d4847fdafa9a62e827.rar.tar.gz

  • Size

    254KB

  • Sample

    240520-pmah5sbe2w

  • MD5

    6db08bdbdb1302e25da47d8e3e8f01ed

  • SHA1

    e1975d8423caadd4562bb257293b02eac9379a7a

  • SHA256

    de66b98eac83b5833abc51e114f15148e56248c1775c8df2462e5cc3d8813d15

  • SHA512

    fbb00e1d2a492052963f64eaf16c51f5fdb2d5d480f2ad326e00298a8ca6f6bd505ebfb16a8b5e8b452424214d491fe8a082f99047c5e840661da6afd3058943

  • SSDEEP

    6144:pF2uNgXEzz3W8A8O0OqPyM0UtTm96vCZgEiPuM9I3LEYUiDGM:f2uNg0fo3qPyqtKtONPC3LEY3F

Malware Config

Targets

    • Target

      IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbs

    • Size

      724KB

    • MD5

      8a9e78bb8236c5f5d99e6f93be86115a

    • SHA1

      079265e295095e6626324c45b3a6362b804cd119

    • SHA256

      7af58069fd2ceb8da1a60644649787b738b2d41ef32a385f1e1e8711bfba0b7b

    • SHA512

      cc4d362d67f0eee74f8f035bc3d3db10455695db819ce3bb782ef6ac2a795cd389a0db56b5d53126826a7fa4bf62edb54a66eabe1c60c32b11b4ba5b628ae01e

    • SSDEEP

      6144:AsyS5Hz0L9jTGquGSqCG2NPnbY/0M7xxMldTSsp3vraSEPW/snrOLNC51gdQl7VD:gCRT+WPxm3pfqiMwc/MVqAd+27

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks