General
-
Target
doc20219119979791.r00
-
Size
15KB
-
Sample
211109-xyq92afgd9
-
MD5
6f4901dd7316b533fcc1f78f1fde74a0
-
SHA1
670b056a3e06b1c47e84fb5625584b84a4072cb6
-
SHA256
1bb0dbfc5f3b6b1548976ce6b675b1333305ffd33a002cedbd0b7d1d72377913
-
SHA512
3c53709aae84be0604466be074db6cc456f52da519558154a1e9f49ee355833dc098cc6c0ea8a395362a1757c91cb7b1cd3ad49b0e5c6b9f0570b15e7634c035
Malware Config
Targets
-
-
Target
doc20219119979791.exe
-
Size
28KB
-
MD5
848514d3293e05eef636c27ee777fe29
-
SHA1
0386b781ab84c9309d24eb15ef68628363a21fb0
-
SHA256
827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801
-
SHA512
d6764b887d64874f98b0be4a79e18a7b91cc6e8e1a8ead0c00d11e200a1297d711d3f1af64138a50d7d0be615c61923d48cbb42d6e6e9ba8d36b26fd32d4bd3c
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Turns off Windows Defender SpyNet reporting
-
Windows security bypass
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-