General
-
Target
209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2
-
Size
1.1MB
-
Sample
201109-fffnz9qkzn
-
MD5
16c0e0a3dd6944e96b65f60d35608260
-
SHA1
95e8a95386545036d39dc8bd18465753ba7fee1a
-
SHA256
209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2
-
SHA512
e60377f2486a2d6185c5d6d1cec68447fd56c74006b933961ae617ba9ebadc99457a7c20aeb9adfa98293755892e2db8b2f39a34d424f8ad885287747ab1abb0
Static task
static1
Behavioral task
behavioral1
Sample
209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.casalsmd.com - Port:
587 - Username:
carolina@casalsmd.com - Password:
Carolina123
Targets
-
-
Target
209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2
-
Size
1.1MB
-
MD5
16c0e0a3dd6944e96b65f60d35608260
-
SHA1
95e8a95386545036d39dc8bd18465753ba7fee1a
-
SHA256
209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2
-
SHA512
e60377f2486a2d6185c5d6d1cec68447fd56c74006b933961ae617ba9ebadc99457a7c20aeb9adfa98293755892e2db8b2f39a34d424f8ad885287747ab1abb0
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-