General
-
Target
64daa51f606ce76dacf20e533b9be33c7dd622d001478e8a77f2a98d76880012
-
Size
520KB
-
Sample
220310-fkxffseah3
-
MD5
503b6ee3454b17ef610fe53095179cae
-
SHA1
0cb9eb9cf1e3a88771a859357ca3ae68a1d06855
-
SHA256
64daa51f606ce76dacf20e533b9be33c7dd622d001478e8a77f2a98d76880012
-
SHA512
4b7833904e78a792f0b21e885f522ab8836fb941a4177c704ef0c08f17453dc2c428befbbc89331b04b726a8055e30341817b84532eea63e68e92354789d7e41
Static task
static1
Behavioral task
behavioral1
Sample
64daa51f606ce76dacf20e533b9be33c7dd622d001478e8a77f2a98d76880012.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
64daa51f606ce76dacf20e533b9be33c7dd622d001478e8a77f2a98d76880012.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
AGOZIE12345
Targets
-
-
Target
64daa51f606ce76dacf20e533b9be33c7dd622d001478e8a77f2a98d76880012
-
Size
520KB
-
MD5
503b6ee3454b17ef610fe53095179cae
-
SHA1
0cb9eb9cf1e3a88771a859357ca3ae68a1d06855
-
SHA256
64daa51f606ce76dacf20e533b9be33c7dd622d001478e8a77f2a98d76880012
-
SHA512
4b7833904e78a792f0b21e885f522ab8836fb941a4177c704ef0c08f17453dc2c428befbbc89331b04b726a8055e30341817b84532eea63e68e92354789d7e41
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-