c32c454ae2dba633e5f9e7222bb06a49c2841886689b7b4961013ec3dc9e722e | Triage

Sharing

General

Target

itinerarydetails.pdf.vbs
Size

97KB
Sample

241211-t9ehtswjak
MD5

a64af1eb173a81ce83d8688582925a20
SHA1

0c4fbcfe1313d577199dacd5593824344e61ab1a
SHA256

c32c454ae2dba633e5f9e7222bb06a49c2841886689b7b4961013ec3dc9e722e
SHA512

82f7195508c8cb1abd524f94783bf352d46918090ab8c51a50a73d83e176573f8175769a4fe90fbac2c0bb83d516f8058bca89e9a8acda810f66adc92de2da16
SSDEEP

768:MjjjjjjjDWuF78+OUCp+aejjjjjjjjjjjjjjjjj3:tuFvYQX

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

exe.dropper

https://drive.google.com/uc?export=download&id=

exe.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

Targets

- Target
  
  itinerarydetails.pdf.vbs
- Size
  
  97KB
- MD5
  
  a64af1eb173a81ce83d8688582925a20
- SHA1
  
  0c4fbcfe1313d577199dacd5593824344e61ab1a
- SHA256
  
  c32c454ae2dba633e5f9e7222bb06a49c2841886689b7b4961013ec3dc9e722e
- SHA512
  
  82f7195508c8cb1abd524f94783bf352d46918090ab8c51a50a73d83e176573f8175769a4fe90fbac2c0bb83d516f8058bca89e9a8acda810f66adc92de2da16
- SSDEEP
  
  768:MjjjjjjjDWuF78+OUCp+aejjjjjjjjjjjjjjjjj3:tuFvYQX
Score

10^/10

execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2