General
-
Target
SPECIFICATION-625636.doc
-
Size
341KB
-
Sample
210911-bccc4adhej
-
MD5
7208a7b222996d4bc09ef1ff90f4e6fa
-
SHA1
8f64434a869f53831d34dd1ea1e2c6f599a8c978
-
SHA256
48accb18692df9774f22f810c1812ef3b3d0da6174406df8f9fb0840a513475f
-
SHA512
8aa072251243df640921fc05ea94dcc820f2aadf8e8d8215d7e01f4fff352f393fdf3065949cb84833d71ea46502904e35e77e9409353c46fa3518003e67d6cb
Static task
static1
Behavioral task
behavioral1
Sample
SPECIFICATION-625636.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SPECIFICATION-625636.doc
Resource
win10-en
Malware Config
Extracted
httP://esetnode32-antiviru.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Targets
-
-
Target
SPECIFICATION-625636.doc
-
Size
341KB
-
MD5
7208a7b222996d4bc09ef1ff90f4e6fa
-
SHA1
8f64434a869f53831d34dd1ea1e2c6f599a8c978
-
SHA256
48accb18692df9774f22f810c1812ef3b3d0da6174406df8f9fb0840a513475f
-
SHA512
8aa072251243df640921fc05ea94dcc820f2aadf8e8d8215d7e01f4fff352f393fdf3065949cb84833d71ea46502904e35e77e9409353c46fa3518003e67d6cb
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XpertRAT Core Payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-