General
-
Target
order12062020.exe
-
Size
874KB
-
Sample
201109-sykwyp6h5n
-
MD5
2cde7eb7c2f3d608b65d840591e00080
-
SHA1
bb05b6f62fba88fea614a8fb03649473f86a7748
-
SHA256
8a98e6c68557ca5e0b2c2f7bec7ffd9a4a58479ce307c7fc88c030e4d0baf694
-
SHA512
936ba95b895cf2606a030be7c3ac7dd373a9b3876788a0b6105f1ed025a66110fb4e64e7b4803c1be117110565b41b457b7861d10de161c4e1db197948b3ca83
Static task
static1
Behavioral task
behavioral1
Sample
order12062020.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
info@urban.co.th - Password:
Urban@1143
Targets
-
-
Target
order12062020.exe
-
Size
874KB
-
MD5
2cde7eb7c2f3d608b65d840591e00080
-
SHA1
bb05b6f62fba88fea614a8fb03649473f86a7748
-
SHA256
8a98e6c68557ca5e0b2c2f7bec7ffd9a4a58479ce307c7fc88c030e4d0baf694
-
SHA512
936ba95b895cf2606a030be7c3ac7dd373a9b3876788a0b6105f1ed025a66110fb4e64e7b4803c1be117110565b41b457b7861d10de161c4e1db197948b3ca83
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-