bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933 | Triage

Sharing

General

Target

bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs
Size

165KB
Sample

241109-d3acjawhll
MD5

34f854905f0f1cfb29f41736b34c84d2
SHA1

777d4629fd82935f3760168cc95cd12a69701425
SHA256

bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933
SHA512

5a671989c7924466b249a5fe0d75667e820bb75d82fcd6e613211cb721b41eb7f2f84c8ffbb5df4fd08277c3e9350714dd9764a7cc5f65286b51807e11cb97dd
SSDEEP

3072:V0Z0Z0Z0Z0Z0Z0Z0Z0Z06K0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0p:q

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
BFwGyaUBMY1578@@

Targets

- Target
  
  bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933.vbs
- Size
  
  165KB
- MD5
  
  34f854905f0f1cfb29f41736b34c84d2
- SHA1
  
  777d4629fd82935f3760168cc95cd12a69701425
- SHA256
  
  bd3b1910de0908ebf93905730c594ab28058103110ab459ce3e4920b4d193933
- SHA512
  
  5a671989c7924466b249a5fe0d75667e820bb75d82fcd6e613211cb721b41eb7f2f84c8ffbb5df4fd08277c3e9350714dd9764a7cc5f65286b51807e11cb97dd
- SSDEEP
  
  3072:V0Z0Z0Z0Z0Z0Z0Z0Z0Z06K0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0Z0p:q
Score

10^/10

execution defense_evasion discovery
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoveryexecution