Overview

overview

10

Static

static

1

Shipping D...BL.vbs

windows7-x64

8

Shipping D...BL.vbs

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Shipping Docu + BL.lzh

  • Size

    6KB

  • Sample

    240521-nb2mtabe5w

  • MD5

    57b39e8b2dc23e0bcd15afe81c688e83

  • SHA1

    54a262c6c4f5a53fa8539b677170fd2fdcc69122

  • SHA256

    a73f8655b5a4fd0692a111ccdf5b0bdb38af5b37703fce77226e06b5dbec10fe

  • SHA512

    4416288c90d444c9edfe027598885ea17d6ff2a17ba0252f7b20d9dbb3032851eb44075dad864ecb3817164d73be80ec00e880b8a1b366a7e88b188304d69968

  • SSDEEP

    96:eWVThknpsUI+luP2c7eWDnQvJG7gT0yOTcVO5VAQityETTzShk9arI1HmrdFLneI:ekhENXoecNnMGPyVk2QiXTW/VrdRne6f

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Targets

    • Target

      Shipping Docu + BL.vbs

    • Size

      13KB

    • MD5

      12e0264eaf14daca0cd45da32ea68c80

    • SHA1

      56774e10d374a80549d06406f52514c06634c5e4

    • SHA256

      5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

    • SHA512

      8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e

    • SSDEEP

      192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK

    Score
    10/10
    persistenceguloadercollectiondownloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks