c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f | Triage

Sharing

General

Target

Ödeme Onayı.vbs
Size

586KB
Sample

241102-3mysmayjdt
MD5

dbc2b2c1ad1e78348f9336869fbf0740
SHA1

7903a4142cb3c3e588710691a8577e5b7ee3c6c6
SHA256

c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f
SHA512

b4751bcaa288a9f0c74e7fac9bd7e9dc74422c71694300debdefebdc42bc077016bb07b2d928be4eb4d9cb16b18e744be35c82d2e2a53a7a0c290692772b94b2
SSDEEP

1536:coooooooooooooooooC99999999999999999999999999999999999999999999/:v3Jg6azbLal3Jg6azbLal3Jg6azbLaO

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
BFwGyaUBMY1578@@

Targets

- Target
  
  Ödeme Onayı.vbs
- Size
  
  586KB
- MD5
  
  dbc2b2c1ad1e78348f9336869fbf0740
- SHA1
  
  7903a4142cb3c3e588710691a8577e5b7ee3c6c6
- SHA256
  
  c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f
- SHA512
  
  b4751bcaa288a9f0c74e7fac9bd7e9dc74422c71694300debdefebdc42bc077016bb07b2d928be4eb4d9cb16b18e744be35c82d2e2a53a7a0c290692772b94b2
- SSDEEP
  
  1536:coooooooooooooooooC99999999999999999999999999999999999999999999/:v3Jg6azbLal3Jg6azbLal3Jg6azbLaO
Score

10^/10

execution defense_evasion discovery persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoveryexecutionpersistence