General
-
Target
efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
-
Size
1.1MB
-
Sample
220313-mrvzjagbap
-
MD5
ab0dbb40ce1b6355c77ffa790626ac98
-
SHA1
cb40fe0d6ad103d38e3761d0d5f56e3aebdc80c6
-
SHA256
efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
-
SHA512
ee9027cd40d6027f1096f5882a5f42f6d3fb275f80782de63499c5c2e24a9aeccdb5301ae557b3555a58023a121f4ddb59352fa7efee95e2a7e327a1df1c9a2c
Static task
static1
Behavioral task
behavioral1
Sample
efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
robertovieira123321@gmail.com - Password:
12345frozen
Targets
-
-
Target
efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
-
Size
1.1MB
-
MD5
ab0dbb40ce1b6355c77ffa790626ac98
-
SHA1
cb40fe0d6ad103d38e3761d0d5f56e3aebdc80c6
-
SHA256
efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
-
SHA512
ee9027cd40d6027f1096f5882a5f42f6d3fb275f80782de63499c5c2e24a9aeccdb5301ae557b3555a58023a121f4ddb59352fa7efee95e2a7e327a1df1c9a2c
-
DarkTrack Payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-