General
-
Target
order30JUN2020.exe
-
Size
917KB
-
Sample
200630-sgf89n7h8a
-
MD5
4bc018a505cbe56b05f093a268cf5614
-
SHA1
02ee790415992ecc24a38057f8007be2738492b8
-
SHA256
536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7
-
SHA512
d19d24100a1501cb67ab4d7f6efc0a53191a1cba091c369a8622ba1dd74974c2b10bde3dec3ad9caa4947fb25346a8aeda0e3e7a1ec5bf1717cef85f256aa9a4
Static task
static1
Behavioral task
behavioral1
Sample
order30JUN2020.exe
Resource
win7
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
gruppen1@yandex.com - Password:
tools12345
Targets
-
-
Target
order30JUN2020.exe
-
Size
917KB
-
MD5
4bc018a505cbe56b05f093a268cf5614
-
SHA1
02ee790415992ecc24a38057f8007be2738492b8
-
SHA256
536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7
-
SHA512
d19d24100a1501cb67ab4d7f6efc0a53191a1cba091c369a8622ba1dd74974c2b10bde3dec3ad9caa4947fb25346a8aeda0e3e7a1ec5bf1717cef85f256aa9a4
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run entry to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-