General
-
Target
1d02421b1913ef82d3b47fe700e0713708d34d0f5a2046d342935c523b566ab8
-
Size
693KB
-
Sample
220521-n3v94shfgn
-
MD5
4857342f11fa426c44f0909035a7ca26
-
SHA1
1469340c34329baa7f7a1f8e75d22c0186e271f8
-
SHA256
1d02421b1913ef82d3b47fe700e0713708d34d0f5a2046d342935c523b566ab8
-
SHA512
ab3cd2802876b79964d72a5dfb3e9557258e27ff40dd5006667c3e79518aa5627a746bc948eacc00150df8c626e97cb003d4a34987dfc9d08d83a279681b482d
Static task
static1
Behavioral task
behavioral1
Sample
order27JUN2020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
order27JUN2020.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
tools12345
Targets
-
-
Target
order27JUN2020.exe
-
Size
1.1MB
-
MD5
be98c6f660e9fd9b081e57a62c5cdee5
-
SHA1
218b5887915381ee1ef1fba9d32e298cac53e24c
-
SHA256
e5773ee0a80729fb252043547f3598591a2335a1ea3dcede3bbdf48e32781def
-
SHA512
d344263e5c67aaf342bd4face320ee1c815b4040724285e704f62874752a0da021187cda183e9a432409cbed3da16f4d8789444e6f5eccebafd8083bb105ea44
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-