General
-
Target
0bd7b71dfeab3d16912a1b8a4bd6480ec63b546da2d7f06082f09f0c7055e596
-
Size
567KB
-
Sample
220521-mzm9nacgc6
-
MD5
1570068d19341ec6bfb669f3014bece0
-
SHA1
69863c2a3a0146c663cf0477421265bb3648e0e9
-
SHA256
0bd7b71dfeab3d16912a1b8a4bd6480ec63b546da2d7f06082f09f0c7055e596
-
SHA512
6940f0d1a6d159da240d2cd14dd584053e36af5c4285d529e7e525acdbab65b57ab95f26bd2a976ef92acbb00c39cac20b902012b9f03ca30333817248533888
Static task
static1
Behavioral task
behavioral1
Sample
order12062020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
order12062020.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
[email protected] - Password:
Urban@1143
Targets
-
-
Target
order12062020.exe
-
Size
874KB
-
MD5
2cde7eb7c2f3d608b65d840591e00080
-
SHA1
bb05b6f62fba88fea614a8fb03649473f86a7748
-
SHA256
8a98e6c68557ca5e0b2c2f7bec7ffd9a4a58479ce307c7fc88c030e4d0baf694
-
SHA512
936ba95b895cf2606a030be7c3ac7dd373a9b3876788a0b6105f1ed025a66110fb4e64e7b4803c1be117110565b41b457b7861d10de161c4e1db197948b3ca83
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-