General
-
Target
1c03e9cb2bc559793b65d8008e84adad28b06a5408d7a138d8e306123f713350
-
Size
430KB
-
Sample
220222-ramdaahfb5
-
MD5
0679e968261f1e9318426baf83ee2948
-
SHA1
610771c1484a6913e637dbc92fd815c2071429c1
-
SHA256
1c03e9cb2bc559793b65d8008e84adad28b06a5408d7a138d8e306123f713350
-
SHA512
82c50af4c29626d4050d50b9fa04681c9d020f219db9680255f0d2251107a834867ee885186d7d32cc297e5de9331d4fdb090c6ee5414e9d604802a97ca5f0de
Static task
static1
Behavioral task
behavioral1
Sample
1c03e9cb2bc559793b65d8008e84adad28b06a5408d7a138d8e306123f713350.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1c03e9cb2bc559793b65d8008e84adad28b06a5408d7a138d8e306123f713350.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
YWhoQGhvdG1ha..wiy28swd231wuY29tt.....
Targets
-
-
Target
1c03e9cb2bc559793b65d8008e84adad28b06a5408d7a138d8e306123f713350
-
Size
430KB
-
MD5
0679e968261f1e9318426baf83ee2948
-
SHA1
610771c1484a6913e637dbc92fd815c2071429c1
-
SHA256
1c03e9cb2bc559793b65d8008e84adad28b06a5408d7a138d8e306123f713350
-
SHA512
82c50af4c29626d4050d50b9fa04681c9d020f219db9680255f0d2251107a834867ee885186d7d32cc297e5de9331d4fdb090c6ee5414e9d604802a97ca5f0de
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-