Overview

overview

10

Static

static

1

f47cab9efa...b7.exe

windows7-x64

10

f47cab9efa...b7.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    68201a6f398b098b4994a9e5f2d4405c.bin

  • Size

    561KB

  • Sample

    240904-bqwznatcre

  • MD5

    9be3d4cb8a6700e1aebd8ca53c0926ac

  • SHA1

    077daaf470983c7e043c74817f3c63ade0f3db8b

  • SHA256

    72e6d0a6c546804ffdd79fcf20e97d13fd6ef53815a38aee737b6ef9a0a0b8f3

  • SHA512

    49b36187293a6ec94b02527239932eea8c332f96cf05ace688b545bdcf69a39a365b5e63515e9bebd7426f69daf9615b075d86c4c6e11422e1c0e47cf8996f56

  • SSDEEP

    12288:FCb6szbWb1Y44nLzn6wIjo+nWpDIrNuokPwtlL:Fk7bWRB4ywIjRnW+JPRf

Score
10/10
guloadercollectioncredential_accessdiscoverydownloaderevasionexecutionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe

    • Size

      915KB

    • MD5

      68201a6f398b098b4994a9e5f2d4405c

    • SHA1

      5a39054a39b347e9d294bc42927861692bc03b6b

    • SHA256

      f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7

    • SHA512

      5fc21c049f18297d1d27857dd433a5df77d1bcbc8ecf7ab796ad91443f406355e70159759e519fee313b136ca63179fe2b81fd2f7cdb47868ce5ef9743db6da8

    • SSDEEP

      12288:DBfOreqgPSOONGdVAhCssylYH+ZQnBPmQ8HjWsgrqpqfyl0fGXJ9BqNJowksV3:hOreq0OMAxsyuHdUHjvEO0fG5vq7Hx

    Score
    10/10
    guloaderdiscoverydownloaderexecutionpersistencecollectioncredential_accessevasionspywarestealertrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • UAC bypass

      evasiontrojan

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks