General
-
Target
fbaa1f1039d717190116a36e1daef36aa5f725313f508b035e5b736ba1120bfb
-
Size
595KB
-
Sample
201114-q5hr377zm6
-
MD5
f12bf300a08183f01931fba879d19ac6
-
SHA1
0a2a43e3728530cfcfa03fc1e8adc815212f5ee8
-
SHA256
fbaa1f1039d717190116a36e1daef36aa5f725313f508b035e5b736ba1120bfb
-
SHA512
a82fa14bce10ed8c66e8487693d3e62b8d9b866836226f253916b90fde00c8b09e38c64d63b9277596f8fbdc30f710feb891645ca1250ab5331f6de8cc5dcc49
Static task
static1
Behavioral task
behavioral1
Sample
fbaa1f1039d717190116a36e1daef36aa5f725313f508b035e5b736ba1120bfb.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
metalcraftxx
Targets
-
-
Target
fbaa1f1039d717190116a36e1daef36aa5f725313f508b035e5b736ba1120bfb
-
Size
595KB
-
MD5
f12bf300a08183f01931fba879d19ac6
-
SHA1
0a2a43e3728530cfcfa03fc1e8adc815212f5ee8
-
SHA256
fbaa1f1039d717190116a36e1daef36aa5f725313f508b035e5b736ba1120bfb
-
SHA512
a82fa14bce10ed8c66e8487693d3e62b8d9b866836226f253916b90fde00c8b09e38c64d63b9277596f8fbdc30f710feb891645ca1250ab5331f6de8cc5dcc49
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-