General
-
Target
12974b45974b72abf85fafa5ef68c98b6604963f737a5876f9bc1cb8b64ddab6
-
Size
1.4MB
-
Sample
220222-wfnwhsbha3
-
MD5
81321b6f777a732cbff088ac44ce2711
-
SHA1
e7407bfffaf61238a3fa1cc438fcd6344cbaff0e
-
SHA256
12974b45974b72abf85fafa5ef68c98b6604963f737a5876f9bc1cb8b64ddab6
-
SHA512
dc32a562ca39315e90dd4cce21ec5bfd2707f07a786a4645b20df2178bd6e90e141d651b11a489dedd15d04de7974104de3e3a12fe2d25d334fae16815ab6428
Static task
static1
Behavioral task
behavioral1
Sample
12974b45974b72abf85fafa5ef68c98b6604963f737a5876f9bc1cb8b64ddab6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12974b45974b72abf85fafa5ef68c98b6604963f737a5876f9bc1cb8b64ddab6.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
Protocol: smtp- Host:
mail.spytector.com - Port:
587 - Username:
[email protected] - Password:
Singular12x
Targets
-
-
Target
12974b45974b72abf85fafa5ef68c98b6604963f737a5876f9bc1cb8b64ddab6
-
Size
1.4MB
-
MD5
81321b6f777a732cbff088ac44ce2711
-
SHA1
e7407bfffaf61238a3fa1cc438fcd6344cbaff0e
-
SHA256
12974b45974b72abf85fafa5ef68c98b6604963f737a5876f9bc1cb8b64ddab6
-
SHA512
dc32a562ca39315e90dd4cce21ec5bfd2707f07a786a4645b20df2178bd6e90e141d651b11a489dedd15d04de7974104de3e3a12fe2d25d334fae16815ab6428
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-