General

  • Target

    MalwareBazaar.0

  • Size

    496KB

  • Sample

    240710-ztjqhazclr

  • MD5

    42b4d721bd9b53f9ca33f1e0230366a4

  • SHA1

    ed911ec53f9602dcdcad10506d82ce14cf3cba9e

  • SHA256

    d8dd38405e4992fb8aeddf3bbdb0e9f7f41885426b9894a14e41072408eb95a9

  • SHA512

    638496e923418c6acdc68c2c8e6d2921bd597514ba94f1c5b51cee2e4458cb624fb92a9f4218cf053df66e754185c5d80bbfe03277d8a95d122f631ffca202d5

  • SSDEEP

    6144:39X0GFlllllllqllllllllllllhllllYllltlld0wz/NBnDzXW/GF4ISw0Jb4ZCv:R0NwznXNCl6wvytZeYNU3BbL

Malware Config

Targets

    • Target

      MalwareBazaar.0

    • Size

      496KB

    • MD5

      42b4d721bd9b53f9ca33f1e0230366a4

    • SHA1

      ed911ec53f9602dcdcad10506d82ce14cf3cba9e

    • SHA256

      d8dd38405e4992fb8aeddf3bbdb0e9f7f41885426b9894a14e41072408eb95a9

    • SHA512

      638496e923418c6acdc68c2c8e6d2921bd597514ba94f1c5b51cee2e4458cb624fb92a9f4218cf053df66e754185c5d80bbfe03277d8a95d122f631ffca202d5

    • SSDEEP

      6144:39X0GFlllllllqllllllllllllhllllYllltlld0wz/NBnDzXW/GF4ISw0Jb4ZCv:R0NwznXNCl6wvytZeYNU3BbL

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • UAC bypass

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      521df745a41f0b8164ffd01717cacbba

    • SHA1

      dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74

    • SHA256

      dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b

    • SHA512

      c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

    • SSDEEP

      96:8eZ0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk4jnLiEQjJ3KxkP:tXBfjbUA/85q3wEh8uLmVLpmP

    Score
    1/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      acbda33dd5700c122e2fe48e3d4351fd

    • SHA1

      2c154baf7c64052ee712b7cdf9c36b7697dd3fc8

    • SHA256

      943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0

    • SHA512

      d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      1c8b2b40c642e8b5a5b3ff102796fb37

    • SHA1

      3245f55afac50f775eb53fd6d14abb7fe523393d

    • SHA256

      8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

    • SHA512

      4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

    • SSDEEP

      96:o2DlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx4T8qndYv0PLE:o2p34z/x3sREskpx4dO0PLE

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks