8a45f8d43edd1bc230b016283817a9e9d3ce79a6d03d070d3d11680b301922f9 | Triage

Sharing

General

Target

8a45f8d43edd1bc230b016283817a9e9d3ce79a6d03d070d3d11680b301922f9.vbs
Size

561KB
Sample

240924-kzz74syckj
MD5

e4aec52d2cb3ee69feadc9eb2961c9b7
SHA1

5e1c99f1bd14a14d5fd9031619187a2a616b3a4b
SHA256

8a45f8d43edd1bc230b016283817a9e9d3ce79a6d03d070d3d11680b301922f9
SHA512

d7b026b1ddccd46728095cf7eb44e6476058b70294e3abd868314f494df36db64f9e86cf6e252b70fdfed27b5f0e2e3b2b224c9a4e4406aa952d0c291437e9d4
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFT:k5oGc

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Targets

- Target
  
  8a45f8d43edd1bc230b016283817a9e9d3ce79a6d03d070d3d11680b301922f9.vbs
- Size
  
  561KB
- MD5
  
  e4aec52d2cb3ee69feadc9eb2961c9b7
- SHA1
  
  5e1c99f1bd14a14d5fd9031619187a2a616b3a4b
- SHA256
  
  8a45f8d43edd1bc230b016283817a9e9d3ce79a6d03d070d3d11680b301922f9
- SHA512
  
  d7b026b1ddccd46728095cf7eb44e6476058b70294e3abd868314f494df36db64f9e86cf6e252b70fdfed27b5f0e2e3b2b224c9a4e4406aa952d0c291437e9d4
- SSDEEP
  
  1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFT:k5oGc
Score

10^/10

execution defense_evasion discovery persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoveryexecutionpersistence