d3f0ee2f8e4bdb79adc9464fc9a83f00f5171a53ef73761efec1972b5780dc3f | Triage

Submit
Reports

Overview

overview

Static

static

RFQ Reques...on.exe

windows7_x64

RFQ Reques...on.exe

windows10-2004_x64

Sharing

General

Target

d3f0ee2f8e4bdb79adc9464fc9a83f00f5171a53ef73761efec1972b5780dc3f
Size

771KB
Sample

220521-b39fhschg9
MD5

d4b245a94cab3189cd7f86f5deea3baf
SHA1

fe7558d10136c60b41f1f37680fb81578c9723be
SHA256

d3f0ee2f8e4bdb79adc9464fc9a83f00f5171a53ef73761efec1972b5780dc3f
SHA512

591a4d9a8d2fe2814adc95754565db5ec6c2dfd94cc02155844506b1d7f5c6a140946383013c92e49707498fcedd90d154d0990fa2edb157f9ced0cb0e316d56

Score

10^/10

collection evasion spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

RFQ Request For Quotation.exe

Resource

win7-20220414-en

collection evasion spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RFQ Request For Quotation.exe

Resource

win10v2004-20220414-en

collection evasion spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftps4.us.freehostia.com
Port:
21
Username:
jumshi
Password:
udobobo2020

Targets

- Target
  
  RFQ Request For Quotation.exe
- Size
  
  1.0MB
- MD5
  
  746383a10231f3b6fa8d396596159716
- SHA1
  
  7b6423638e1a8497ea2a6cf2d868fd5cd3608c2a
- SHA256
  
  f594268a1b5164b9081ff67fcf423fab8eef1c605d98e80df27932d19cf08f2c
- SHA512
  
  3277cde8dcfa0d75215e50e1f512537d426b0096550504e42b311bbb8714fab9f4d840d7d167b31eb23959d6463f68e6b482e29b856156c597e38ab114ed0a2b
Score

10^/10

collection evasion spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Impair Defenses

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

collectionevasionspywarestealer

behavioral2

collectionevasionspywarestealer

© 2018-2024

Terms | Privacy