General
-
Target
order1006202020.exe
-
Size
889KB
-
Sample
201109-9kp6rd74fa
-
MD5
68ab67ab6818049ba24ffbaced99f10c
-
SHA1
2855a79eaf660c43fa438a8dceb9e2f2e1e23664
-
SHA256
372d7ad682638210ae549422e43a44e7cff293013f6dfaf340c401384a7f03a5
-
SHA512
32d82ee4210543957a09b952c9f78cdcd85d0cee4f39220c7d79cb099aad3848d98ac512854eec54eb08f26cb8a01c3f78ca4e0cdcb440b9ea603501373fe93c
Static task
static1
Behavioral task
behavioral1
Sample
order1006202020.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
info@urban.co.th - Password:
Urban@1143
Targets
-
-
Target
order1006202020.exe
-
Size
889KB
-
MD5
68ab67ab6818049ba24ffbaced99f10c
-
SHA1
2855a79eaf660c43fa438a8dceb9e2f2e1e23664
-
SHA256
372d7ad682638210ae549422e43a44e7cff293013f6dfaf340c401384a7f03a5
-
SHA512
32d82ee4210543957a09b952c9f78cdcd85d0cee4f39220c7d79cb099aad3848d98ac512854eec54eb08f26cb8a01c3f78ca4e0cdcb440b9ea603501373fe93c
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-