General
-
Target
Hermaean.exe
-
Size
1.0MB
-
Sample
250217-ns4thazkw5
-
MD5
a5350eaa7864ac06277c445e0f52f9d9
-
SHA1
9a589f6dcbb0ee908a1665501b3e249a00c05db8
-
SHA256
eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5
-
SHA512
19cbd739728359dff2932ee72bf923598fe523ed2c08fc3d42f4e535e94e8cd7b0c4165eb1f3e4b54ef96b403396571b9ce9d3042ceacb996237d78b3347e2d1
-
SSDEEP
24576:NtLjOxH2phdL18qdTJhxEvGuw48Qw1J+FOZVKgyhz:NtLiwhd3dzxYfw4krkOZxy9
Malware Config
Targets
-
-
Target
Hermaean.exe
-
Size
1.0MB
-
MD5
a5350eaa7864ac06277c445e0f52f9d9
-
SHA1
9a589f6dcbb0ee908a1665501b3e249a00c05db8
-
SHA256
eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5
-
SHA512
19cbd739728359dff2932ee72bf923598fe523ed2c08fc3d42f4e535e94e8cd7b0c4165eb1f3e4b54ef96b403396571b9ce9d3042ceacb996237d78b3347e2d1
-
SSDEEP
24576:NtLjOxH2phdL18qdTJhxEvGuw48Qw1J+FOZVKgyhz:NtLiwhd3dzxYfw4krkOZxy9
Score10/10-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
7399323923e3946fe9140132ac388132
-
SHA1
728257d06c452449b1241769b459f091aabcffc5
-
SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
-
SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1
-
SSDEEP
192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
Score8/10-
Downloads MZ/PE file
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2