blankgrabber | 4b4c20c87e23a20ea3dafd57907ed3dbb38b65c88d0d15d60fb304228f44dbc4

General

Target

gojo sim.zip
Size

12.6MB
Sample

250414-3ej99syzgs
MD5

f14b9be1cca335e23639445e8e78ac9e
SHA1

ba0aea33cef6cf1f1dcf9741134ac58ae0c717e9
SHA256

4b4c20c87e23a20ea3dafd57907ed3dbb38b65c88d0d15d60fb304228f44dbc4
SHA512

c053d6009578f21e1774306de007ce44144e089f7c73a36ca79fe196590dbbba5c6bd3cbc4e58fe370222e12b46a1788994bbb3c078ca0305fbed2ccdaaa8c32
SSDEEP

196608:z0guj1G8FoLCTt7VwkB8WggI9VD/ZV1InfNESKqDZQrQos4BAK4d41jOt1qejGPU:6eLAwwIgI95xL/C+AK4ojOt1qvOm85

Score

10^/10

Malware Config

Targets

- Target
  
  dist/Gojo simulator.exe
- Size
  
  7.8MB
- MD5
  
  af5dd5e0736e272360fd2808eb1e570b
- SHA1
  
  a67924548f53e09ce4d1e4906a0a12e3cd4b1839
- SHA256
  
  bf89680b50b1fa2be445ffc674826d3445c98761a4c65a081e4eb5938eab1736
- SHA512
  
  02a6f7ad4cf9cb196b9246d2fb9c94a46b9163a71fff31f8b5dee12bd58cd6aa7175ec37d71a1ce8fa320af222af86e4f236ed44b3c29989d58c4a5ffa8aed57
- SSDEEP
  
  196608:mW1CHUOXXKApOgj9fZwQRCgiIKpdzjPOan7j2y283TOnOh:YxMUw8wIKppDO9ih
Score

10^/10

collection credential_access defense_evasion discovery execution spyware stealer upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  dist/mapper/map.exe
- Size
  
  5.2MB
- MD5
  
  4b7ac12256a768c1f344de2f169f5728
- SHA1
  
  40d63f9cf769b2304420737132cbd6a63a44eb96
- SHA256
  
  0910c0d226f1f5cb9a6ffaabb70e08b194bbf0b21617beb88109c2cf10987c4e
- SHA512
  
  e2f50413ba791b0cf6d92922b8f9db59e686837e8d2f9e1a097f0ad72cf59a66a8bbd2c0d5567e059ef2b05dc28aa443ad9409aced4475d55324096abe9abfaf
- SSDEEP
  
  98304:4uUx/rgmBLSmmoVIuKZxi8MHs6W2ZVci5lQ9pOidDXCc41t7uGkNP:pUx/rdSmmylyxz6zVc03gDyc4gN
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral3 behavioral4