General
-
Target
PO-5042.scr
-
Size
1.5MB
-
Sample
210113-gkzased3fx
-
MD5
f502ba6dcaa52430ff540dbdef13c40b
-
SHA1
b697dbbac2192c5416648413f0639e9da4763c9a
-
SHA256
b1251d0a542cd96f6957904d30289cbf675035ae79ac4158fc098aa84cd22506
-
SHA512
b8d1a484012238d7a0d49bbe2077231b2bc39cd0581bc8e41b8e24ff2fcc39580ed8cecafea2570acf1df9d3ee1eb713415c80d1af1735fc029fe696b19d5d81
Static task
static1
Behavioral task
behavioral1
Sample
PO-5042.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO-5042.scr
Resource
win10v20201028
Malware Config
Targets
-
-
Target
PO-5042.scr
-
Size
1.5MB
-
MD5
f502ba6dcaa52430ff540dbdef13c40b
-
SHA1
b697dbbac2192c5416648413f0639e9da4763c9a
-
SHA256
b1251d0a542cd96f6957904d30289cbf675035ae79ac4158fc098aa84cd22506
-
SHA512
b8d1a484012238d7a0d49bbe2077231b2bc39cd0581bc8e41b8e24ff2fcc39580ed8cecafea2570acf1df9d3ee1eb713415c80d1af1735fc029fe696b19d5d81
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-