Analysis
-
max time kernel
153s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/02/2022, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe
Resource
win10v2004-en-20220112
General
-
Target
07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe
-
Size
520KB
-
MD5
6f4cc7f74974e70f6d046529ff575022
-
SHA1
77f216cb385b8a612ea12915918fec3e6d17a7a6
-
SHA256
07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf
-
SHA512
1862dafb703df2db42a8699d5137e5e9659ce0daa3f9af8d1fe6a44228f22bf70917ad1354f309949f53528255d13c2e1057dfff304d22c05841d0de6e278e72
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
Hell-no123!
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/240-58-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/240-61-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1860-62-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1860-65-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/memory/240-58-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/240-61-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1860-62-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1860-65-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 whatismyipaddress.com 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1648 set thread context of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 set thread context of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 240 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 28 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 1860 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 29 PID 1648 wrote to memory of 2012 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 33 PID 1648 wrote to memory of 2012 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 33 PID 1648 wrote to memory of 2012 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 33 PID 1648 wrote to memory of 2012 1648 07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe"C:\Users\Admin\AppData\Local\Temp\07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
PID:240
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵PID:1860
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11442⤵PID:2012
-