General
-
Target
IMG-0641.doc
-
Size
598KB
-
Sample
210114-6926w9a1ss
-
MD5
44c09f25925b3a659e19dae6b5e70cc5
-
SHA1
4eb7ae147669bdb3cc508efc1160fd820e662fa9
-
SHA256
2ac13e163b9bdd76aa1dd7ebcfc2dd9ddc6a32712c328889495637a5d0d2a5ea
-
SHA512
d9bdabf18d25ea6ac434c63062c8119ecc2c52fc76b4c31ccc5079f7c4ffd7472a43574aa614ed15bafd7655011221f79dba1657dcba81e8fd86f30c979c2579
Static task
static1
Behavioral task
behavioral1
Sample
IMG-0641.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG-0641.doc
Resource
win10v20201028
Malware Config
Targets
-
-
Target
IMG-0641.doc
-
Size
598KB
-
MD5
44c09f25925b3a659e19dae6b5e70cc5
-
SHA1
4eb7ae147669bdb3cc508efc1160fd820e662fa9
-
SHA256
2ac13e163b9bdd76aa1dd7ebcfc2dd9ddc6a32712c328889495637a5d0d2a5ea
-
SHA512
d9bdabf18d25ea6ac434c63062c8119ecc2c52fc76b4c31ccc5079f7c4ffd7472a43574aa614ed15bafd7655011221f79dba1657dcba81e8fd86f30c979c2579
Score10/10-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-