General
-
Target
92c85e11f297d167ac13774cd32ae7106f11f295251be0983990b150a8e3b576
-
Size
1.3MB
-
Sample
220521-w7l61abba3
-
MD5
833fd320bd8561f6b5a0d9edce0697f8
-
SHA1
4b798e87d2cbe2e93f35a3a8f3dfa2ee99e9c03f
-
SHA256
92c85e11f297d167ac13774cd32ae7106f11f295251be0983990b150a8e3b576
-
SHA512
0d72ee76ee0ba1dd3d6f03084b1b8590e472d614fc8018d1863bed6f13e67f51c1e4c9d2d0a3be7834cc06463e4837d612e5e8701e6593ce043d82cb0b746466
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
outback.websitewelcome.com - Port:
587 - Username:
sungearmotors@2020weddingeventz2.com - Password:
chukwuma12
Targets
-
-
Target
Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.EXE
-
Size
1.8MB
-
MD5
cc5e307e68ccb5b363a1d8125e0edfb1
-
SHA1
0937747b83e0624bec024daadeaf5c7effdbcb36
-
SHA256
82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5
-
SHA512
ac464272963a2208cf7061e22c75d2ae5b9c76ade74cd1c21aeb28690d2d2ccee45c2cfafe09ad588a56a802f438dfc9a56e60792f87e483db727b8286968815
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-