General
-
Target
2e6a6b1db04bcd6cf3f8520fecb998c1825de8bf5d00fcb18cab997d7730dc71
-
Size
531KB
-
Sample
220521-xhdzrsbgc5
-
MD5
28f1ac7d585f7c7930c6aec0f0ae8d7a
-
SHA1
b7f8ad202c56286e752d8c77a9caef20fac8a447
-
SHA256
2e6a6b1db04bcd6cf3f8520fecb998c1825de8bf5d00fcb18cab997d7730dc71
-
SHA512
4ab7707cba28026affd5f57ed0a6f78a58fed0a9acaa4b8465995e87fff2ec5e3cd08dae8c49598a636ceddf26cbe31f3761501b2fb0a39cdcbdda395dc6f208
Static task
static1
Behavioral task
behavioral1
Sample
PO9087665788.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO9087665788.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
webmail.tos-thailand.com - Port:
587 - Username:
sudarat.k@tos-thailand.com - Password:
P@ssw0rd
Targets
-
-
Target
PO9087665788.exe
-
Size
825KB
-
MD5
105cab9441e63917a5c774c36ab801c6
-
SHA1
c343476262267c46ebee6cf8683de3620ca938d0
-
SHA256
60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771
-
SHA512
5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-