General
-
Target
38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4
-
Size
411KB
-
Sample
220311-b7kyqaheeq
-
MD5
b4fbacbccd740dc82e4f01b5254da6f9
-
SHA1
61464744dbdc90470219c04343d50b63bdfae285
-
SHA256
38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4
-
SHA512
90722621d1a3b7f45ac0adae7ca1c7dad81966afdf9b1118bcdfcb9c938ef4b43c03f08eb2c6b722b529519cfe883b3e9873c4de03cb208636da2c826028caa6
Static task
static1
Behavioral task
behavioral1
Sample
38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
YWhoQG..GhvdG1...
Targets
-
-
Target
38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4
-
Size
411KB
-
MD5
b4fbacbccd740dc82e4f01b5254da6f9
-
SHA1
61464744dbdc90470219c04343d50b63bdfae285
-
SHA256
38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4
-
SHA512
90722621d1a3b7f45ac0adae7ca1c7dad81966afdf9b1118bcdfcb9c938ef4b43c03f08eb2c6b722b529519cfe883b3e9873c4de03cb208636da2c826028caa6
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-