Overview

overview

10

Static

static

3

a7a04842ca...2f.exe

windows7-x64

10

a7a04842ca...2f.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

  • Size

    652KB

  • Sample

    240522-ch3ynshb2t

  • MD5

    3783014e89435e8f979155435933d4f0

  • SHA1

    c711fb0d97d5d363e241ed5532c6331e0fe8aa57

  • SHA256

    a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f

  • SHA512

    611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010

  • SSDEEP

    12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI

Score
10/10
guloadercollectiondownloaderpersistencespywarestealer

Malware Config

Targets

    • Target

      a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

    • Size

      652KB

    • MD5

      3783014e89435e8f979155435933d4f0

    • SHA1

      c711fb0d97d5d363e241ed5532c6331e0fe8aa57

    • SHA256

      a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f

    • SHA512

      611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010

    • SSDEEP

      12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI

    Score
    10/10
    guloadercollectiondownloaderpersistencespywarestealer

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Detects executables built or packed with MPress PE compressor

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fc3772787eb239ef4d0399680dcc4343

    • SHA1

      db2fa99ec967178cd8057a14a428a8439a961a73

    • SHA256

      9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

    • SHA512

      79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

    • SSDEEP

      192:eS24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OloSl:S8QIl975eXqlWBrz7YLOlo

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks