General
-
Target
425d2457bb19e7898d0f5067ceb9039ec8cc0a5b7e36faa18a5dbb86c20009f8
-
Size
1.1MB
-
Sample
201114-rmztglvgen
-
MD5
97ebdb638573a9c5650a7a345841e59b
-
SHA1
3cc86bd642ffdff100347c4ffc8c8b28e1f53e0f
-
SHA256
425d2457bb19e7898d0f5067ceb9039ec8cc0a5b7e36faa18a5dbb86c20009f8
-
SHA512
55e229b349da80fcfbfb31b874378b0983b48e8f9bddfffd4e4eea480464ce274695205ad3d7d33ab5bedf85dc80c2ef5b91d3e544da32daa1cb820395325d73
Static task
static1
Behavioral task
behavioral1
Sample
425d2457bb19e7898d0f5067ceb9039ec8cc0a5b7e36faa18a5dbb86c20009f8.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.casalsmd.com - Port:
587 - Username:
carolina@casalsmd.com - Password:
Carolina123
Targets
-
-
Target
425d2457bb19e7898d0f5067ceb9039ec8cc0a5b7e36faa18a5dbb86c20009f8
-
Size
1.1MB
-
MD5
97ebdb638573a9c5650a7a345841e59b
-
SHA1
3cc86bd642ffdff100347c4ffc8c8b28e1f53e0f
-
SHA256
425d2457bb19e7898d0f5067ceb9039ec8cc0a5b7e36faa18a5dbb86c20009f8
-
SHA512
55e229b349da80fcfbfb31b874378b0983b48e8f9bddfffd4e4eea480464ce274695205ad3d7d33ab5bedf85dc80c2ef5b91d3e544da32daa1cb820395325d73
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-