318550907c41746ca0a815c0b8856e42cda84a2db6700311a89766d5aa136c9f | Triage

Sharing

General

Target

vb.vbs
Size

1KB
Sample

241003-rey8msyglr
MD5

4f06b12e890e19ecc7d71fb0353e209c
SHA1

5064eeaef0e706cbac734bd014993805a96e70db
SHA256

318550907c41746ca0a815c0b8856e42cda84a2db6700311a89766d5aa136c9f
SHA512

7a40b05e1c30ef6617a73b7679f5caaa023e717b70fd3821b0468dc06e5a29a0dffff73167842c897c35d86fc9153c5628fb692d4de8d6668f95ad88c7d0ba66

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/UxiyyjiX

exe.dropper

https://pastebin.com/raw/UxiyyjiX

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://pastebin.com/raw/uRxFsn59

exe.dropper

https://pastebin.com/raw/20fZZM5U

Targets

- Target
  
  vb.vbs
- Size
  
  1KB
- MD5
  
  4f06b12e890e19ecc7d71fb0353e209c
- SHA1
  
  5064eeaef0e706cbac734bd014993805a96e70db
- SHA256
  
  318550907c41746ca0a815c0b8856e42cda84a2db6700311a89766d5aa136c9f
- SHA512
  
  7a40b05e1c30ef6617a73b7679f5caaa023e717b70fd3821b0468dc06e5a29a0dffff73167842c897c35d86fc9153c5628fb692d4de8d6668f95ad88c7d0ba66
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2