General
-
Target
e9fcab6dd83ee8d52d0c26b72c5d7492261fd25e747501deb6e42a86155fc86d
-
Size
872KB
-
Sample
201111-cwyrszn952
-
MD5
17a37cac7b4b1b83008e2b293b149155
-
SHA1
ee960a8f4d618a99271bb3236fe5a6807a12a63d
-
SHA256
e9fcab6dd83ee8d52d0c26b72c5d7492261fd25e747501deb6e42a86155fc86d
-
SHA512
f0dcde15c63a47abcfa4e5f4534134835ed4187d578e39f42d755aeee1936ed26ed1811f9960d1572d5d889bf20941b96f04702c3ca9b3c21c67afc48cc8785f
Static task
static1
Behavioral task
behavioral1
Sample
e9fcab6dd83ee8d52d0c26b72c5d7492261fd25e747501deb6e42a86155fc86d.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
moniman@vivaldi.net - Password:
manmoin@outlook.com
Targets
-
-
Target
e9fcab6dd83ee8d52d0c26b72c5d7492261fd25e747501deb6e42a86155fc86d
-
Size
872KB
-
MD5
17a37cac7b4b1b83008e2b293b149155
-
SHA1
ee960a8f4d618a99271bb3236fe5a6807a12a63d
-
SHA256
e9fcab6dd83ee8d52d0c26b72c5d7492261fd25e747501deb6e42a86155fc86d
-
SHA512
f0dcde15c63a47abcfa4e5f4534134835ed4187d578e39f42d755aeee1936ed26ed1811f9960d1572d5d889bf20941b96f04702c3ca9b3c21c67afc48cc8785f
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-