General
-
Target
IMG_Order PO 094765 SMH.doc
-
Size
241KB
-
Sample
210920-n9z7msead3
-
MD5
09c275af1fe403ef1955cf691179cb33
-
SHA1
49b1427effc50d6949c45e22fecbbfba4b2380c5
-
SHA256
4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77
-
SHA512
4e48d08153575ce1238591654f557cc410d36b04f9e9160d0d26f9db9e1e3cb5ec267654af9a97eaad544d0e43f9a5fe2b1b27bfc2ddc16ee2aec8efe00e05ef
Static task
static1
Behavioral task
behavioral1
Sample
IMG_Order PO 094765 SMH.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
IMG_Order PO 094765 SMH.doc
Resource
win10-en
Malware Config
Extracted
httP://esetnode32-antiviru.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Targets
-
-
Target
IMG_Order PO 094765 SMH.doc
-
Size
241KB
-
MD5
09c275af1fe403ef1955cf691179cb33
-
SHA1
49b1427effc50d6949c45e22fecbbfba4b2380c5
-
SHA256
4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77
-
SHA512
4e48d08153575ce1238591654f557cc410d36b04f9e9160d0d26f9db9e1e3cb5ec267654af9a97eaad544d0e43f9a5fe2b1b27bfc2ddc16ee2aec8efe00e05ef
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XpertRAT Core Payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-