General
-
Target
987421.exe
-
Size
1.3MB
-
Sample
211019-rg54zafhh6
-
MD5
75e71ba1842dc3f63198386adb92716f
-
SHA1
3dac2a6f86bf211fe4ed33f21dc63bbd1ff04114
-
SHA256
72946d33bc1e3945ed628d129fcc9096dc1ff9cedcfe2fe568ade44544519a20
-
SHA512
e0c2b6d689d6455e46d97079f28fcf7219a043bb1cb943c0d16ea5220b07f6bcc3267382db6a99783f3c2a0d6ec47e10f67a31491fc8bf9612eb15d3c7cdc834
Static task
static1
Behavioral task
behavioral1
Sample
987421.exe
Resource
win7-en-20210920
Malware Config
Extracted
Protocol: smtp- Host:
mail.merchantexint.com - Port:
587 - Username:
[email protected] - Password:
merW&13@
Targets
-
-
Target
987421.exe
-
Size
1.3MB
-
MD5
75e71ba1842dc3f63198386adb92716f
-
SHA1
3dac2a6f86bf211fe4ed33f21dc63bbd1ff04114
-
SHA256
72946d33bc1e3945ed628d129fcc9096dc1ff9cedcfe2fe568ade44544519a20
-
SHA512
e0c2b6d689d6455e46d97079f28fcf7219a043bb1cb943c0d16ea5220b07f6bcc3267382db6a99783f3c2a0d6ec47e10f67a31491fc8bf9612eb15d3c7cdc834
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-