20e3caf06a8aa4f910992ffc2e9f4df5e9fc41874f7228b61b2cb587a8ece15a | Triage

Sharing

General

Target

REPLY TO NOTICE GST DRC-1A_pdf.zip
Size

746KB
Sample

241119-rrm15sxgmr
MD5

fb5371816f102c2a4db307ba9c907791
SHA1

e24f12603404b9b1e17e8b12c425896eeeab3e21
SHA256

20e3caf06a8aa4f910992ffc2e9f4df5e9fc41874f7228b61b2cb587a8ece15a
SHA512

b67645ad4005284d54dcacab85925b41a44af2d4c1a3ba731351609dc3c4bc2ce24675559c1a47667c755558a90955bffdf8a9347fa7a8cc1c04930e114183fc
SSDEEP

12288:HC7gPlXqlmIaoulTQNDrTLRvK4T6e7LIyc/QAmGOmsuxwRtpXdX51HXd:LSmg+QN7LRz6CIVHm3ltpdp1Ht

Score

8^/10

collection discovery execution

Malware Config

Targets

- Target
  
  REPLY TO NOTICE GST DRC-1A_pdf.exe
- Size
  
  762KB
- MD5
  
  602f9d7c92d9633a6136756e44cb66f6
- SHA1
  
  75838bde80e96ad7ca95193ad30732320a6910ff
- SHA256
  
  0af2987d5175022e30be422143cb98603a43008da2b67b4d6de99d7a41a5fd3c
- SHA512
  
  8a283a95f0bff324b51867ab0a145e0e0f1daa1d2e6f01db76fed986309565d8d9d63307889cdc8db9e1480b514294c44138f8912c731e0f63d5b6492284c613
- SSDEEP
  
  12288:TI9yhygh/XUZmIa+ulbQzDr1/RvK4f6efLIyc/QAIMOms+xwptpXhX51HXU:xhbumGaQzN/R/6MIVHIRZtphp1Hk
Score

8^/10

discovery execution collection
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Divisional/Troljerne/squamae.com
- Size
  
  323KB
- MD5
  
  f3705d740dca8d46b5a48d60c835e2a1
- SHA1
  
  9e80cf8669c2a6680be5aeee5e84b7bfb55e04e3
- SHA256
  
  87b08ea9d89bc023be4a6cef3ca5b74dac237a35173651c31e8b19062c427064
- SHA512
  
  6c5b39ccba3d187dbc2cd14620cbde9bdc778cc59cf96c5f8900b3cc40099a0c66e7ecb5cd30203a7d71bf183f9b2e49bb582a632ae12cf94a62232548d4687c
- SSDEEP
  
  768:tJCG3Zp6ICBp3uKWDL9e7LZSQvwthb++dk5MJKUe4ZCGKtnyuwvKZGye8HBdEmTN:tJ3u2two+KyomXrv4BxnU7cjkE+8
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

collectiondiscoveryexecution

behavioral3

behavioral4