General
-
Target
PO23330019283713022025.exe
-
Size
668KB
-
Sample
250213-hw4p1svkfk
-
MD5
bbde90d159fa822e342aab15eb33b839
-
SHA1
57386d4b07b978892afce671e674581e300c4593
-
SHA256
307b13c2f8002e88af027d2c549936d08a47d1e3bfa96174d0b5b6cc749f7c3d
-
SHA512
c548f31ca9150e509761338f87edba9fa85dced7afcd2c7e8209feb48ceaf4397b3627c36dbfae5e01cf2faed45e056824cd746bc125b29e4a6de75e2bd3f45b
-
SSDEEP
12288:hDG4hAuAs9Mp4wSjEL0K5dmMiP1FuCdhq2PtqBA3O:t2nsGej65P2F9Vd+
Malware Config
Targets
-
-
Target
PO23330019283713022025.exe
-
Size
668KB
-
MD5
bbde90d159fa822e342aab15eb33b839
-
SHA1
57386d4b07b978892afce671e674581e300c4593
-
SHA256
307b13c2f8002e88af027d2c549936d08a47d1e3bfa96174d0b5b6cc749f7c3d
-
SHA512
c548f31ca9150e509761338f87edba9fa85dced7afcd2c7e8209feb48ceaf4397b3627c36dbfae5e01cf2faed45e056824cd746bc125b29e4a6de75e2bd3f45b
-
SSDEEP
12288:hDG4hAuAs9Mp4wSjEL0K5dmMiP1FuCdhq2PtqBA3O:t2nsGej65P2F9Vd+
Score10/10-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
ee260c45e97b62a5e42f17460d406068
-
SHA1
df35f6300a03c4d3d3bd69752574426296b78695
-
SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
-
SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
-
SSDEEP
192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Score8/10-
Downloads MZ/PE file
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2