Overview

overview

10

Static

static

3

2f61e87b9e...05.exe

windows7-x64

10

2f61e87b9e...05.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

  • Size

    262KB

  • Sample

    240524-mr7y4aea7v

  • MD5

    76923fcaa0a505edf3ad0258599c4ac4

  • SHA1

    c12da3f5b65037e1d8e9c448896476284ad152ee

  • SHA256

    2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905

  • SHA512

    b7e63acbc58fc774ab1b344f8e0c49dfa77287ae355651d6710e9ef47aae3938abe5ce752f39b405e8ae07c9874cb423f88ceca8a9a1c36a11a66e0596dcf4b3

  • SSDEEP

    6144:C+K0JKwduysEcdn0AwZkMJrZJKBRiJ5KGzR9gMYazuS0:LJZ0EcdnTdM5ZJCEv7VCMYaav

Score
10/10
guloadercollectiondownloaderpersistencespywarestealer

Malware Config

Targets

    • Target

      2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

    • Size

      262KB

    • MD5

      76923fcaa0a505edf3ad0258599c4ac4

    • SHA1

      c12da3f5b65037e1d8e9c448896476284ad152ee

    • SHA256

      2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905

    • SHA512

      b7e63acbc58fc774ab1b344f8e0c49dfa77287ae355651d6710e9ef47aae3938abe5ce752f39b405e8ae07c9874cb423f88ceca8a9a1c36a11a66e0596dcf4b3

    • SSDEEP

      6144:C+K0JKwduysEcdn0AwZkMJrZJKBRiJ5KGzR9gMYazuS0:LJZ0EcdnTdM5ZJCEv7VCMYaav

    Score
    10/10
    guloaderdownloaderpersistencecollectionspywarestealer

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      cf85183b87314359488b850f9e97a698

    • SHA1

      6b6c790037eec7ebea4d05590359cb4473f19aea

    • SHA256

      3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

    • SHA512

      fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

    • SSDEEP

      96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks