General

  • Target

    Documentos de exportación_envío adjuntos-password(X9hVfEzD).zip

  • Size

    1.0MB

  • Sample

    250502-qvf7bscm8v

  • MD5

    89c07ecf3d0aafccf3fad39f42f10874

  • SHA1

    6b508cab81feae9d1922fe10391d0d27e87a4835

  • SHA256

    9ad92096d67780d9f6ac1e12b773c7b67fdab911eb0ed51dee67eee286b9d5fb

  • SHA512

    e06cd8860d591c6ce783eb110e75a273ff54648fd9d87ab797982d5296afdfdd0bfbafd3487ecbf96944708e9216ec4d53dc2fae628543a0eda99102a12d9067

  • SSDEEP

    24576:xFcIlwgUOCHSeWUdWI5jLq9+4q1qZ6LI+RzuLeDs0Mbsuju:DRUdfX3Enqx04tMY+u

Malware Config

Targets

    • Target

      Documentos de exportación_envío adjuntos-password(X9hVfEzD).zip

    • Size

      1.0MB

    • MD5

      89c07ecf3d0aafccf3fad39f42f10874

    • SHA1

      6b508cab81feae9d1922fe10391d0d27e87a4835

    • SHA256

      9ad92096d67780d9f6ac1e12b773c7b67fdab911eb0ed51dee67eee286b9d5fb

    • SHA512

      e06cd8860d591c6ce783eb110e75a273ff54648fd9d87ab797982d5296afdfdd0bfbafd3487ecbf96944708e9216ec4d53dc2fae628543a0eda99102a12d9067

    • SSDEEP

      24576:xFcIlwgUOCHSeWUdWI5jLq9+4q1qZ6LI+RzuLeDs0Mbsuju:DRUdfX3Enqx04tMY+u

    Score
    1/10
    • Target

      e4e392a7a100a6e708e67c0bedfefbccef17fcb5dab1a52ba4e31cc6ef452477.eml

    • Size

      1.0MB

    • MD5

      47cd9e23320176fa7d5a68103c0659b1

    • SHA1

      600eda20c29e5488b438e5b8555ec3f9c6338fc0

    • SHA256

      5c2fec9f97ba1b736fd855da18222eb7aa4cbe24e4b4ce3e3e14e50a4bd16f6e

    • SHA512

      aec3e40f8f6671ff89bd4cb753a84d08521059152981a26a0f6596f5284d5c7ef0ee3a9ea6798d5d1d46c30c494548908da51c7b4ea2c4f5378bef8aa1d7a057

    • SSDEEP

      24576:fWeyGQqftfSHBzSapJdY61/TM964aZC712ddlL5fV2cAGuE:f2cftgSapk62964tk7f1

    Score
    3/10
    • Target

      Documentos de env�o incorrectos.gz

    • Size

      771KB

    • MD5

      d8718d0e2f67ddec3c1568b651d00a22

    • SHA1

      fef7ab5a30979ef20547cef3264dfe6f05e1323e

    • SHA256

      133fb31ea43144abce54d27f8ac0f0b8f8f537cdbc15d724f95aa33ca3580c64

    • SHA512

      19b2e9b73ca63541de675d578c7947bf106dd5bb2bea32c64fee0f2ef08c1823e43a5c5cac9b8ae0c504b674a18edc7253c8eda0a51a227ee2d483b8aae75a6f

    • SSDEEP

      24576:buvFDXuzHxoCNPblT4nDqR1MGYxpg/niW7:YAzxoQPblbGZg/57

    Score
    1/10
    • Target

      Documentos de envío incorrectos.exe

    • Size

      962KB

    • MD5

      25038144486e49d6a54f3780484b2033

    • SHA1

      5ac81bd87347f0baa3fd65daaab01b8bf894ce2a

    • SHA256

      f49075854c53ae61920881846fac69180afd3276f6c5ffdc0f7740e2a712e762

    • SHA512

      57a635da52b1dfed5d0358b548cde68bd90cf92363033963022900a823aaef4561c44ad72fac429e4247286700098d9f327206a2967a025f90e5444ab2b838a9

    • SSDEEP

      12288:vuXRY5dWqpG2mf+zQt3k1HiVqg6PBi659FbfxlrjBktZc0XsjQco0rv6Ktw+0dDq:vSoWmG2mW1HiqnFDrtCc08jQc/

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • Target

      email-html-1.txt

    • Size

      711B

    • MD5

      36f2fcf5ad183c3bb8efc2d10fb6bf0c

    • SHA1

      52317f69369ed9633430b4ed15c111df5fcaeb9d

    • SHA256

      f70571fb726722160615744cd069b0aebf9f55574d9db49995e30b00897aedf3

    • SHA512

      44e4dc57665697b428f68be9237067b2f25219e9f9d2ed7d6cf6daa7e3021c8de9d607e315f376decc4434e18cab1cf8e95a17eb2b897ab18c589b13a843df6f

    Score
    4/10

MITRE ATT&CK Enterprise v16

Tasks