General

  • Target

    31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef.exe

  • Size

    484KB

  • Sample

    240711-v8vn4azbka

  • MD5

    3785429894a5a55d22e27a398a8d71e5

  • SHA1

    ff427e205d09bde3c5ecbe65c986edfdcddb5efb

  • SHA256

    31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef

  • SHA512

    0cbef10c00a09221a0c0c8938f280cf09c1acdf6050c640ff44782f67162d93ad89210e6d3480edd3126c81316c8e6bde2780d1b59926604c5d7e355b631891b

  • SSDEEP

    12288:R0Nwz+NJXmdUBa3I+jRRKzvCOm8qIlo6VcTodU3Bb/:fz+NFdBa4+bkCOfJuRz

Malware Config

Targets

    • Target

      31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef.exe

    • Size

      484KB

    • MD5

      3785429894a5a55d22e27a398a8d71e5

    • SHA1

      ff427e205d09bde3c5ecbe65c986edfdcddb5efb

    • SHA256

      31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef

    • SHA512

      0cbef10c00a09221a0c0c8938f280cf09c1acdf6050c640ff44782f67162d93ad89210e6d3480edd3126c81316c8e6bde2780d1b59926604c5d7e355b631891b

    • SSDEEP

      12288:R0Nwz+NJXmdUBa3I+jRRKzvCOm8qIlo6VcTodU3Bb/:fz+NFdBa4+bkCOfJuRz

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • UAC bypass

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      521df745a41f0b8164ffd01717cacbba

    • SHA1

      dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74

    • SHA256

      dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b

    • SHA512

      c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

    • SSDEEP

      96:8eZ0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk4jnLiEQjJ3KxkP:tXBfjbUA/85q3wEh8uLmVLpmP

    Score
    1/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      acbda33dd5700c122e2fe48e3d4351fd

    • SHA1

      2c154baf7c64052ee712b7cdf9c36b7697dd3fc8

    • SHA256

      943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0

    • SHA512

      d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      1c8b2b40c642e8b5a5b3ff102796fb37

    • SHA1

      3245f55afac50f775eb53fd6d14abb7fe523393d

    • SHA256

      8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

    • SHA512

      4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

    • SSDEEP

      96:o2DlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx4T8qndYv0PLE:o2p34z/x3sREskpx4dO0PLE

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks