General
-
Target
3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f
-
Size
652KB
-
Sample
220310-3q2cxsgack
-
MD5
9ecac63c5ba5398ed06ab220bc7cf275
-
SHA1
e5e23a32e8e0bfef5e5790159b12f4d20bc6e302
-
SHA256
3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f
-
SHA512
bb58b1f3a263afaa17b71b4f740d24f4b8735b8f8ddb66c107e6a19f5029912ce499eb400b1ab8b5dcc8c933b6a5b6746f8d0c789bef9f4e8079bb26c45456c0
Static task
static1
Behavioral task
behavioral1
Sample
3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
Kopi1313
Targets
-
-
Target
3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f
-
Size
652KB
-
MD5
9ecac63c5ba5398ed06ab220bc7cf275
-
SHA1
e5e23a32e8e0bfef5e5790159b12f4d20bc6e302
-
SHA256
3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f
-
SHA512
bb58b1f3a263afaa17b71b4f740d24f4b8735b8f8ddb66c107e6a19f5029912ce499eb400b1ab8b5dcc8c933b6a5b6746f8d0c789bef9f4e8079bb26c45456c0
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-