General
-
Target
0000875396597pdf.vbs
-
Size
30KB
-
Sample
240906-ltyyjazela
-
MD5
bb28ef297cfb3d1f4fa2b16058c0025f
-
SHA1
4c8fa31f7ec0fd19b5083f69ab603898e145a4e7
-
SHA256
569e7a854cbade3720fef90d7fa6168acf2758d4f885bc6fb9bb62ffc7b6586d
-
SHA512
e4c6c1efbe5802d3af18b78a741ff2714b86b110f24fccbc8eb63b3eb2bb2fc8f787154bc441ce09542c3d33d4cb4da9aa422f3ed5555a2e866de21bab1a33b8
-
SSDEEP
192:J2zLBF767GjhERV13xnm4w80xwXbgfy4EemQCzOv1g/roKQteACZ/NTncUuN:ga7O8Vznm4w80xwLggx4Wr+tBCfTncUm
Malware Config
Targets
-
-
Target
0000875396597pdf.vbs
-
Size
30KB
-
MD5
bb28ef297cfb3d1f4fa2b16058c0025f
-
SHA1
4c8fa31f7ec0fd19b5083f69ab603898e145a4e7
-
SHA256
569e7a854cbade3720fef90d7fa6168acf2758d4f885bc6fb9bb62ffc7b6586d
-
SHA512
e4c6c1efbe5802d3af18b78a741ff2714b86b110f24fccbc8eb63b3eb2bb2fc8f787154bc441ce09542c3d33d4cb4da9aa422f3ed5555a2e866de21bab1a33b8
-
SSDEEP
192:J2zLBF767GjhERV13xnm4w80xwXbgfy4EemQCzOv1g/roKQteACZ/NTncUuN:ga7O8Vznm4w80xwLggx4Wr+tBCfTncUm
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-