General
-
Target
7811b918425d1f25e70ad188f0581b3bacb1fb44c97a8ca84b99bab4e8a445f4
-
Size
1.3MB
-
Sample
220521-w71pdseddq
-
MD5
36de7fba7d2fd68a1599cd35be60d951
-
SHA1
75733fd5c26dea9b18f109c4013c3c3a84b7529d
-
SHA256
7811b918425d1f25e70ad188f0581b3bacb1fb44c97a8ca84b99bab4e8a445f4
-
SHA512
87f956a2724bf2c02d3a7a8f45866d47e46cffc49bc0e687f63a9e271c2e86073d411ece687e8743653ee3aa3415327d274d2aaf622747fcfe7313b8c89f8c8b
Static task
static1
Behavioral task
behavioral1
Sample
Scan-0581110_pdf.gz.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Scan-0581110_pdf.gz.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
jana.stoeckigt@biotrouik.com - Password:
_40Ejyi_+uDx
Targets
-
-
Target
Scan-0581110_pdf.gz.exe
-
Size
1.7MB
-
MD5
b957faac8f23c005064e42c345c73d58
-
SHA1
33340c0da44028b727785ad63b6bfac791806e89
-
SHA256
a659e8747ad30e259bde611723fd8b6fc9b040c7cc1a4524b21f6ac1c15e757b
-
SHA512
8f62904201d6a6d5dc26d7f577afec06041f643c4059a44cbdec7e5b0197d61d445b2c4a931dac63fdb2ef5a022ada8e6496cfa2a91df79396dfed30adb33d0c
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-