General
-
Target
paymen_invoice.doc
-
Size
340KB
-
Sample
210906-nt3mtsebel
-
MD5
285d05dd2a3a053e5095f09b609fca64
-
SHA1
668f3a6f6fa038bdbcd0e57d32783f37c259469d
-
SHA256
e31f5bfd01e6d5876991d6aae68921b7510090d880d2602ed57032e7d14a9cae
-
SHA512
1db0f843078059020981aba55b5fe40d72ec5cc1aa0903353bde23e28299cfd732435760f80e7423c7b999e64e810090bfbaa2f90609aa426cd79074c655c407
Static task
static1
Behavioral task
behavioral1
Sample
paymen_invoice.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
paymen_invoice.doc
Resource
win10-en
Malware Config
Extracted
httP://192.3.194.242/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Targets
-
-
Target
paymen_invoice.doc
-
Size
340KB
-
MD5
285d05dd2a3a053e5095f09b609fca64
-
SHA1
668f3a6f6fa038bdbcd0e57d32783f37c259469d
-
SHA256
e31f5bfd01e6d5876991d6aae68921b7510090d880d2602ed57032e7d14a9cae
-
SHA512
1db0f843078059020981aba55b5fe40d72ec5cc1aa0903353bde23e28299cfd732435760f80e7423c7b999e64e810090bfbaa2f90609aa426cd79074c655c407
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XpertRAT Core Payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-