General
-
Target
a68aaf370bd46ec00abef5b522d5c6faf6c1beff6a3af3098e4a6dd1e25fce05
-
Size
962KB
-
Sample
201114-2ebb892mk2
-
MD5
01c03727d5d9f94fc7c47a622effc217
-
SHA1
a7a446111da017ee275964af46ac71ff7745c7f6
-
SHA256
a68aaf370bd46ec00abef5b522d5c6faf6c1beff6a3af3098e4a6dd1e25fce05
-
SHA512
84d8f982bfb57fee01b989d74212739b53a81bd3a34a19324a209ef6a1a20c055470c161d60a42e6d2fc17fee5058c8f813d2d1824aaf67ec90c6c089756cc72
Static task
static1
Behavioral task
behavioral1
Sample
a68aaf370bd46ec00abef5b522d5c6faf6c1beff6a3af3098e4a6dd1e25fce05.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.casalsmd.com - Port:
587 - Username:
carolina@casalsmd.com - Password:
Carolina123
Targets
-
-
Target
a68aaf370bd46ec00abef5b522d5c6faf6c1beff6a3af3098e4a6dd1e25fce05
-
Size
962KB
-
MD5
01c03727d5d9f94fc7c47a622effc217
-
SHA1
a7a446111da017ee275964af46ac71ff7745c7f6
-
SHA256
a68aaf370bd46ec00abef5b522d5c6faf6c1beff6a3af3098e4a6dd1e25fce05
-
SHA512
84d8f982bfb57fee01b989d74212739b53a81bd3a34a19324a209ef6a1a20c055470c161d60a42e6d2fc17fee5058c8f813d2d1824aaf67ec90c6c089756cc72
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-