General
-
Target
449dfb26b221a803430ac41a75c0a8da8205dcc12425e8ce59d786ff2c5d2dd3
-
Size
1.8MB
-
Sample
220310-178r8acbf5
-
MD5
d843dac7cc2b66fbfd71f58774186d0b
-
SHA1
31de88c299aa90aaaa131afac9f946b6c2d6c704
-
SHA256
449dfb26b221a803430ac41a75c0a8da8205dcc12425e8ce59d786ff2c5d2dd3
-
SHA512
82639ce34718385eab8461bd4c3af777ac9c0e08f7c10df9fd9efd5817fbd90b280039d620dc883ddef448ddfd412fcc6a4ce0c1326f4122122b8df8199f3764
Static task
static1
Behavioral task
behavioral1
Sample
449dfb26b221a803430ac41a75c0a8da8205dcc12425e8ce59d786ff2c5d2dd3.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
449dfb26b221a803430ac41a75c0a8da8205dcc12425e8ce59d786ff2c5d2dd3.exe
Resource
win10v2004-20220310-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
martinich22
Targets
-
-
Target
449dfb26b221a803430ac41a75c0a8da8205dcc12425e8ce59d786ff2c5d2dd3
-
Size
1.8MB
-
MD5
d843dac7cc2b66fbfd71f58774186d0b
-
SHA1
31de88c299aa90aaaa131afac9f946b6c2d6c704
-
SHA256
449dfb26b221a803430ac41a75c0a8da8205dcc12425e8ce59d786ff2c5d2dd3
-
SHA512
82639ce34718385eab8461bd4c3af777ac9c0e08f7c10df9fd9efd5817fbd90b280039d620dc883ddef448ddfd412fcc6a4ce0c1326f4122122b8df8199f3764
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-