General

  • Target

    5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs

  • Size

    13KB

  • Sample

    240523-bxjynsgh62

  • MD5

    12e0264eaf14daca0cd45da32ea68c80

  • SHA1

    56774e10d374a80549d06406f52514c06634c5e4

  • SHA256

    5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

  • SHA512

    8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e

  • SSDEEP

    192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK

Malware Config

Targets

    • Target

      5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs

    • Size

      13KB

    • MD5

      12e0264eaf14daca0cd45da32ea68c80

    • SHA1

      56774e10d374a80549d06406f52514c06634c5e4

    • SHA256

      5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

    • SHA512

      8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e

    • SSDEEP

      192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Detects executables built or packed with MPress PE compressor

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks