General
-
Target
51cb64e4ec187ad258be9ff42961658c691158ad358f84523ea2487da599d20d
-
Size
645KB
-
Sample
220310-w3ma7shhg9
-
MD5
cdd9a729aa6eefd55f8b4964fc8ecbed
-
SHA1
13e6c9dca3239353eb32ea8557cc41fbaf169fec
-
SHA256
51cb64e4ec187ad258be9ff42961658c691158ad358f84523ea2487da599d20d
-
SHA512
7b7faa6094969ef46cd8792b2db13a2534c308a9c291f12638b7910bb1543236a9dad10261a2e0e9cfae7576e3f1c2d895f6208438430e723b52c0fb565673cb
Static task
static1
Behavioral task
behavioral1
Sample
51cb64e4ec187ad258be9ff42961658c691158ad358f84523ea2487da599d20d.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
51cb64e4ec187ad258be9ff42961658c691158ad358f84523ea2487da599d20d.exe
Resource
win10v2004-20220310-en
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
haxoriiml
Targets
-
-
Target
51cb64e4ec187ad258be9ff42961658c691158ad358f84523ea2487da599d20d
-
Size
645KB
-
MD5
cdd9a729aa6eefd55f8b4964fc8ecbed
-
SHA1
13e6c9dca3239353eb32ea8557cc41fbaf169fec
-
SHA256
51cb64e4ec187ad258be9ff42961658c691158ad358f84523ea2487da599d20d
-
SHA512
7b7faa6094969ef46cd8792b2db13a2534c308a9c291f12638b7910bb1543236a9dad10261a2e0e9cfae7576e3f1c2d895f6208438430e723b52c0fb565673cb
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-