Overview

overview

9

Static

static

1

g2.vbs

windows7-x64

9

g2.vbs

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    g2.vbs

  • Size

    26KB

  • Sample

    240928-hwq4xsvfne

  • MD5

    f90461eb21ece97c548dbe0e6e9025c9

  • SHA1

    eae06be00d00450f201aa413889ffaba626e4d13

  • SHA256

    11fe78830162da1f054dcf7f3ab7d068504c77bd483464b489293029c360d37e

  • SHA512

    99023857f4cdc3573f432e23b106bc457a4d4d0dc71658f8301295fb89d899dbee48182971d95178d99e617247d04c3ba390084f9c37ab1b669dc6c7f5d1cf7e

  • SSDEEP

    384:T3g/HsoJewe++NMth4nowwQICXayEhZ7G/rFn1czhuSBw2:MPZePMth4nGQfXaThZ7G/rFn1cNuSBw2

Score
9/10
collectiondiscovery

Malware Config

Targets

    • Target

      g2.vbs

    • Size

      26KB

    • MD5

      f90461eb21ece97c548dbe0e6e9025c9

    • SHA1

      eae06be00d00450f201aa413889ffaba626e4d13

    • SHA256

      11fe78830162da1f054dcf7f3ab7d068504c77bd483464b489293029c360d37e

    • SHA512

      99023857f4cdc3573f432e23b106bc457a4d4d0dc71658f8301295fb89d899dbee48182971d95178d99e617247d04c3ba390084f9c37ab1b669dc6c7f5d1cf7e

    • SSDEEP

      384:T3g/HsoJewe++NMth4nowwQICXayEhZ7G/rFn1czhuSBw2:MPZePMth4nGQfXaThZ7G/rFn1cNuSBw2

    Score
    9/10
    collectiondiscovery

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks