General
-
Target
BL#HSZX00034256_pdf.exe
-
Size
960KB
-
Sample
201111-tkaq9cs1de
-
MD5
54d657c9a3d9b7b41c8d6c3c351e8e00
-
SHA1
dc0e9be372763bcec640dc646d2cfe20311a059a
-
SHA256
5085b0ca2f92b564192b4e5161917e146f72bdbb475718b51221aeb66fde89f0
-
SHA512
01a41d2d70db000581c6b5b6f2af4fc783172837279b28520b1a6db94c488ca4099b3ab68d7c08414a797f3813182dd458a1241c4d1babbd3b1e84aaa8df8a0c
Static task
static1
Behavioral task
behavioral1
Sample
BL#HSZX00034256_pdf.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
mail.ilkimegitim.com - Port:
587 - Username:
savas@ilkimegitim.com - Password:
Savas581
Targets
-
-
Target
BL#HSZX00034256_pdf.exe
-
Size
960KB
-
MD5
54d657c9a3d9b7b41c8d6c3c351e8e00
-
SHA1
dc0e9be372763bcec640dc646d2cfe20311a059a
-
SHA256
5085b0ca2f92b564192b4e5161917e146f72bdbb475718b51221aeb66fde89f0
-
SHA512
01a41d2d70db000581c6b5b6f2af4fc783172837279b28520b1a6db94c488ca4099b3ab68d7c08414a797f3813182dd458a1241c4d1babbd3b1e84aaa8df8a0c
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-