General
-
Target
9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a
-
Size
376KB
-
Sample
220308-nfh19sebh2
-
MD5
c9066e9c3eabb41cea08f291b743cf38
-
SHA1
cbceb189e6fccde97179f3c1d6570946db1aa869
-
SHA256
9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a
-
SHA512
0433981a6cce23508708860d1554d66610ca2779b8f76ced870a2b2b1806c385f0de51ac8f287a9cb996b98d3bc7038365ed2903cc598fd970683ecfcfb4e1fe
Static task
static1
Behavioral task
behavioral1
Sample
9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a.exe
Resource
win10v2004-en-20220112
Malware Config
Targets
-
-
Target
9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a
-
Size
376KB
-
MD5
c9066e9c3eabb41cea08f291b743cf38
-
SHA1
cbceb189e6fccde97179f3c1d6570946db1aa869
-
SHA256
9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a
-
SHA512
0433981a6cce23508708860d1554d66610ca2779b8f76ced870a2b2b1806c385f0de51ac8f287a9cb996b98d3bc7038365ed2903cc598fd970683ecfcfb4e1fe
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-