General
-
Target
156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581
-
Size
1.8MB
-
Sample
220222-t4ydrabba5
-
MD5
092edda9d23a2641024199cfe439d195
-
SHA1
e52250b3534452ae30b4150f1807c410300e7a53
-
SHA256
156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581
-
SHA512
86ffd4d8f93cf891ccc43686702f5ccae8c72e64305401e7a46ceacc567fffcf298a1f65591b85499caba2cddae62e01021bee3ab86cabd68c1713760435524e
Static task
static1
Behavioral task
behavioral1
Sample
156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581.exe
Resource
win7-en-20211208
Malware Config
Extracted
Protocol: smtp- Host:
smtps.bol.com.br - Port:
587 - Username:
[email protected] - Password:
kelisson123
Extracted
cybergate
v1.02.1
server
macacolouco3059.ddns.net:50
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
0050
-
regkey_hkcu
Avirnt
-
regkey_hklm
Avgnt
Extracted
njrat
0.6.4
loja
macacolouco3059.ddns.net:3059
b375d923c230947f4a1ad96e9215116e
-
reg_key
b375d923c230947f4a1ad96e9215116e
-
splitter
|'|'|
Targets
-
-
Target
156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581
-
Size
1.8MB
-
MD5
092edda9d23a2641024199cfe439d195
-
SHA1
e52250b3534452ae30b4150f1807c410300e7a53
-
SHA256
156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581
-
SHA512
86ffd4d8f93cf891ccc43686702f5ccae8c72e64305401e7a46ceacc567fffcf298a1f65591b85499caba2cddae62e01021bee3ab86cabd68c1713760435524e
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-