General
-
Target
QPR-1064.pdf.exe
-
Size
1.4MB
-
Sample
210113-85cx13aaln
-
MD5
64b5e237121e4d6832c5de27f2c4bac0
-
SHA1
bdddc8f90be60f49404180f4070f2b094728d8dd
-
SHA256
91a31ae7de6c7cfa8123333cec0fb4ac9317b12e8b1ede01de97936c8ab82ed7
-
SHA512
8ed87aaeb6500243445d29a5aa20f2dce5c21df727bf15f186993362e96db848fce23daa7e0603c82da3552979006e3bcda284c68ba856c6d8cd80b5c5077a8c
Malware Config
Targets
-
-
Target
QPR-1064.pdf.exe
-
Size
1.4MB
-
MD5
64b5e237121e4d6832c5de27f2c4bac0
-
SHA1
bdddc8f90be60f49404180f4070f2b094728d8dd
-
SHA256
91a31ae7de6c7cfa8123333cec0fb4ac9317b12e8b1ede01de97936c8ab82ed7
-
SHA512
8ed87aaeb6500243445d29a5aa20f2dce5c21df727bf15f186993362e96db848fce23daa7e0603c82da3552979006e3bcda284c68ba856c6d8cd80b5c5077a8c
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-