General
-
Target
089286ffcd2e619bec5d6822b387ccddac4121ad13fe44c4fb8c740eb6e19ee1
-
Size
571KB
-
Sample
220521-xhk33sfagl
-
MD5
25b773a2149ae211d3d7cd559fdb7f2e
-
SHA1
eda014104d9b9ef227df2e739289870dca29e146
-
SHA256
089286ffcd2e619bec5d6822b387ccddac4121ad13fe44c4fb8c740eb6e19ee1
-
SHA512
a5c5abaf699b1bdbb3ea1503277fd6e2b79600ee5620961a0531b9dbf2386bb312083457e0e231b17e28495d64d925152360b29287a022ff57bff719f232ad6b
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder160620209988.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NewOrder160620209988.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
info@urban.co.th - Password:
Urban@1143
Targets
-
-
Target
NewOrder160620209988.exe
-
Size
873KB
-
MD5
773ed1d737209e588bd14991930dd95d
-
SHA1
4561afe4f73911c22c49c55d85cc56ce950d0d10
-
SHA256
5680e271889058770b8e1e0511477865407735b5bbe46766599c6d0c88f74a43
-
SHA512
f2c228db2873e9ff2555e0df41c89f0ef790efdc65e45d9aeb2cd04007da2549cba4152147d06e6dc2f4a3e1dc8869f25c0bfca84f35e620dec2ea57bb409e9e
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-