General
-
Target
3d9767ba1d3cb2067cda8a8b0ec9a8f6550453f74721b6f0da218a5be41cf9c1
-
Size
617KB
-
Sample
220521-m49nfsgbdm
-
MD5
299be880549518d16a66d99f2215a2bf
-
SHA1
4de1601a9dee2a88f3f2da9194cf0d6cc9f90dd4
-
SHA256
3d9767ba1d3cb2067cda8a8b0ec9a8f6550453f74721b6f0da218a5be41cf9c1
-
SHA512
890c534f506dc4917c78e9f55b12c27be4e7d46a9b7e3369713fd0d0af907e13ecd8712195768ce125ab039121c653639cf5099164d09f5c24abe2e777e7cb45
Static task
static1
Behavioral task
behavioral1
Sample
PO3902939304.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO3902939304.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
[email protected] - Password:
Urban@1143
Targets
-
-
Target
PO3902939304.exe
-
Size
976KB
-
MD5
ab0e982a52e2b90858413c0b49102fa1
-
SHA1
28b4bd9790d00b2b8287f15e8c6b6a29661e8cf0
-
SHA256
0be2fd26cdd52bc071b076fc7350077db4962173366192cbc9870df8b3cb234c
-
SHA512
5e3cfe9999288a63fcbad2cd69927b9ad062683014e15a4c483053bfa446d9bb7b1af58a5c0cc57271d615471548c219aefebb051748e9790e0adda82b412f10
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-