General
-
Target
f47e8cf02f856c487fd8f832ba0de87778eeb4e8bcb405407b4145b2050879e7
-
Size
1.2MB
-
Sample
220521-prennabahj
-
MD5
539e1051ca625b5e4fd0fc24bce51536
-
SHA1
ce44eac8d1ebb35cf54ad0f89034685223e90b3a
-
SHA256
f47e8cf02f856c487fd8f832ba0de87778eeb4e8bcb405407b4145b2050879e7
-
SHA512
3cf6c73444ddc4ac84b4f47b57763f074f221781e9347563487f63b4e3eaec34ba58fa73954c97174a96f8b36ce7d66dbf5d203af891e83172dd9df1aea9d64b
Static task
static1
Behavioral task
behavioral1
Sample
DOC29309.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC29309.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
DOC30039.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
DOC30039.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
b.goicoechea@amyavigo.es - Password:
75457545bg
Extracted
limerat
1LYXfE3ZfhsvvuTfAC7kasRQD4EnwgoeJx
-
aes_key
0000000000000000
-
antivm
true
-
c2_url
https://pastebin.com/raw/84gGtTLk
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Targets
-
-
Target
DOC29309.EXE
-
Size
283KB
-
MD5
92b37680ac5c24374bafb7db5be4fd0a
-
SHA1
df08457d10f1ffea52d7115d5b0a498509e5a72a
-
SHA256
f5ce2ee6334c46aae1d42e65626227232ca319a3a4c7e6388df99b0bc7da646e
-
SHA512
4e05d6e3c0f7aa45de04c508db58476c9a7ab9a52fc6d9d59874193c8629b4bba3e430b6c1096fdd6952e794893699e2143fc0918e833ad1f92dacde9817d9fb
-
404 Keylogger Main Executable
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
DOC30039.EXE
-
Size
295KB
-
MD5
60c0778625ff004c0189cb7af4634e69
-
SHA1
383d1e456c253dd108bd70d75e225d6e8d72d4ed
-
SHA256
a1a937a1fc9c9b0cafc877fae326d61f3ee3d0574f04da24fa490caff6a6b7cf
-
SHA512
39b5b9762116c62ce800a175459472c3fe55e33b21673643a4e1d1623e46e55d19d94a738ed9dc558939e6af9ce0569dce921bd6e17b5e5c1d760d1cba1ed0e8
Score10/10-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-