General
-
Target
R2607210998764553.doc
-
Size
1MB
-
Sample
210727-6j8pv1lbsa
-
MD5
c37d902c03a12a87e5394f849ae966d3
-
SHA1
8b4a32210a84fe179b97b211e05bccec0a377789
-
SHA256
5c783a84eb7784ccab875c4ec73f44f99a6e443ef7c5dcfaaaa9f2e23f71e072
-
SHA512
1f0b42a167ff8e97c51d269048668ac39f9563e709b125b839b443dfa0e3b499f131a63404a80bf9631859f5fc7165e66844eb31e5b29f0351e03f7fdebfbc9b
Static task
static1
Behavioral task
behavioral1
Sample
R2607210998764553.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
R2607210998764553.doc
Resource
win10v20210408
Malware Config
Extracted
Protocol: ftp- Host:
ftp.vngpack.com - Port:
21 - Username:
newloggsaa@vngpack.com - Password:
Xpen2000
Targets
-
-
Target
R2607210998764553.doc
-
Size
1MB
-
MD5
c37d902c03a12a87e5394f849ae966d3
-
SHA1
8b4a32210a84fe179b97b211e05bccec0a377789
-
SHA256
5c783a84eb7784ccab875c4ec73f44f99a6e443ef7c5dcfaaaa9f2e23f71e072
-
SHA512
1f0b42a167ff8e97c51d269048668ac39f9563e709b125b839b443dfa0e3b499f131a63404a80bf9631859f5fc7165e66844eb31e5b29f0351e03f7fdebfbc9b
-
suricata: ET MALWARE HawkEye Keylogger FTP
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-