General
-
Target
e1f8aa4490f8d8f5d35505c4896a08acdcc7375e6e732f0b8cd15c389ca002b2
-
Size
660KB
-
Sample
220521-nz2bysedc6
-
MD5
b2e686c61828ccaac2a2f9547d8cc127
-
SHA1
be7297122e4b67b0ce6595a3d2117841e21a9b0e
-
SHA256
e1f8aa4490f8d8f5d35505c4896a08acdcc7375e6e732f0b8cd15c389ca002b2
-
SHA512
c1d4d11c851d08d727aad98b7084a7b87f2cc2ee9acb68dff102ccc24d45a7e194567cb69ef572c15dea7736ce4f9594c1e830e098dc17359112403bccd6ccdd
Static task
static1
Behavioral task
behavioral1
Sample
NEWPO90866543.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEWPO90866543.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.amargrand.mn - Port:
587 - Username:
logistic@amargrand.mn - Password:
amar8888
Targets
-
-
Target
NEWPO90866543.exe
-
Size
1.1MB
-
MD5
b253c7f028986673ea38364e4adcf445
-
SHA1
c271b66645a79c8dca0b5f0783018e674fb4f4fa
-
SHA256
0d6437a1e212ba6c8b651098ae5863a45b1e81d201d3722bd52e0c6559898db8
-
SHA512
190ec85b91fb7b0b0801f97d4722080764728334a8b825eefd772a32bee255afad4f5670d63360d4875138fe98dfbc323f67eca29e6126644eb5d3679bc61e63
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-