General

  • Target

    doc-r25-210341853.lzh

  • Size

    6KB

  • Sample

    240521-m8246sbd3y

  • MD5

    20f2349a3773984feb25b06739bf3c29

  • SHA1

    f6f99623b30438321291db46c92204cb08e89131

  • SHA256

    e326b641ae9ba609906dc1079074644e57dc2709c710321465d86af51117284e

  • SHA512

    f562519740ccc6b22981728dd1a3c4244c92ea2841b609bde743c74632db5588c26d5740e3303d2a5f5844d6a7354a133d023da3a4470ba8e067b2b634bc0250

  • SSDEEP

    192:LZbKJhBezaMlj/Tl3AiTR9IXKFxQZ94MkQQdg:cbyaMZ/TlfdaAWQ2

Malware Config

Targets

    • Target

      doc-r25-210341853.vbs

    • Size

      15KB

    • MD5

      3ed6d6263087df6acb50d383f9646c77

    • SHA1

      3d11f3a396909f4bdda0b8b8bb7ef6b8abbad17c

    • SHA256

      7c9097341df9125478424c57b39c394062838aaa04bcc5725cd4a49a3b3555d9

    • SHA512

      e5ce4ee9fb452025cff79e23c3f335fe8b34dce4e5b315e258815212ac9cd929881c690a95d397deec0c635a0115c4eb176b557e2e877449e9a9116f8dc99f64

    • SSDEEP

      192:3Kyq8AvxRaqxtLpoMPpzkd/5Bpt0yPPGEIv97BreF56xrkoAD+h0nVJ:ayqlZRzmMxI19PGn9kF0xrgD+m

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks