5.1 KiB
5.1 KiB
[Update] New samples, same TTPs and accounts
Table of Contents
- Malware analysis
- Cyber Threat Intel
- Indicators Of Compromise (IOC)
- References MITRE ATT&CK Matrix
- Links
Malware analysis
Initial vector
The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command.
Once this removed, we can see that use the only command is mshta for invoke the loader.
This web page use unescape (4 times) for use again mshta and redirect on the first pastebin.
The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint).
The second command create a persistence using another mshta for initate to to close the hidden window.
The third command execute a loader with two new pastebins.
The first share is a script using an array and the getbytes function for obfuscate the payload on two layers.
This execute a dll for load the second PE. This dll is the same than the last analysis and is use as protector ConfuserEx.
The second Pastebin content the data to split for the second PE.
The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard :
Cyber kill chain
The process graph resume the cyber kill chain used by the attacker.
Cyber Threat Intel
References MITRE ATT&CK Matrix
List of all the references with MITRE ATT&CK Matrix
| Enterprise tactics | Technics used | Ref URL |
|---|---|---|
Indicators Of Compromise (IOC)
List of all the Indicators Of Compromise (IOC)
| Indicator | Description |
|---|---|
| Domain requested | |
| IP requested | |
| HTTP/HTTPS requests | |
| IP C2 | |
| Domain C2 |