General
-
Target
1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556
-
Size
411KB
-
Sample
220222-she5lsace3
-
MD5
b624e6c14c4aa9c7319981e0410172d8
-
SHA1
5fe043e18dec32d4045e38fb3bc2f9a700b7079f
-
SHA256
1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556
-
SHA512
b8d083728c28b53146e3c1a552fd24125a39ea0c64640dcf6d43e1809f92b7f563edde715c56d7b7bddc8e05db7fddc096367b5448b329b5a45921eda3f74e5e
Static task
static1
Behavioral task
behavioral1
Sample
1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
YWhoQG..Ghkwis.
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
YWhoQG..GhwvdG..
Targets
-
-
Target
1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556
-
Size
411KB
-
MD5
b624e6c14c4aa9c7319981e0410172d8
-
SHA1
5fe043e18dec32d4045e38fb3bc2f9a700b7079f
-
SHA256
1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556
-
SHA512
b8d083728c28b53146e3c1a552fd24125a39ea0c64640dcf6d43e1809f92b7f563edde715c56d7b7bddc8e05db7fddc096367b5448b329b5a45921eda3f74e5e
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-