General
-
Target
93b16ee22ee7c8a77ac718a118ac29d3f726d916e3be8c451ee1c9b3708ef0b2
-
Size
541KB
-
Sample
220521-myqcmacfg5
-
MD5
1becde90b6a5d2bb4e315df9fed82c2a
-
SHA1
105d23942126c1dfdc88a913e7ddad616450098b
-
SHA256
93b16ee22ee7c8a77ac718a118ac29d3f726d916e3be8c451ee1c9b3708ef0b2
-
SHA512
6aba15e4aeff052d6559653b959fee7081bbde66b7c0653966ed6feb2fa3bcd90d558fef86374432951ca071f624398f9cc76fbc27e783fc65b17901f3ece57d
Static task
static1
Behavioral task
behavioral1
Sample
PO983627289.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO983627289.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
info@urban.co.th - Password:
Urban@1143
Targets
-
-
Target
PO983627289.exe
-
Size
837KB
-
MD5
c9ddd7789409993921f935f42e7fcf1a
-
SHA1
cd5e920aa114733fe22005fdb282c048d6fa6a75
-
SHA256
fce56056a7028ed4787e39d614c90e84804ad0dc03185a6532834564b10b7d5a
-
SHA512
e47730702a08704dd9fa2abeed91bdfa8b197c4c7754e1c0af3322c332e4bc82990193d90f6a81cf49d73f9ffd899119c22b2570beab86beddd06389dd3f5447
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-