General
-
Target
11f7ede55463505baecc8fc1ebc5cc3701044389351fa3b742e5aed17d2724db
-
Size
1.5MB
-
Sample
220521-xzannsgacj
-
MD5
3c4d38e9a0897587496c4167910a5c80
-
SHA1
292b9936277840626b5ba802181b178d0f7e4388
-
SHA256
11f7ede55463505baecc8fc1ebc5cc3701044389351fa3b742e5aed17d2724db
-
SHA512
35be62a7232c6e88934deb8d658a1a8c5b4aa64198d02d48fd6a3ab501a76b1dc113b9eba5cdcaf55a1631054bf06b0ccb1a5dc48d411ccac09c0ef174925962
Static task
static1
Behavioral task
behavioral1
Sample
Seaway HBL copy & CREDIT NOTE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Seaway HBL copy & CREDIT NOTE.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
jana.stoeckigt@biotrouik.com - Password:
_40Ejyi_+uDx
Targets
-
-
Target
Seaway HBL copy & CREDIT NOTE.exe
-
Size
1.9MB
-
MD5
3fb5f58bb106a4fc46c7cd7d021cd9c7
-
SHA1
4a737e64c42d64e9ef5e1cd4c81793402ba236c9
-
SHA256
e3e7451b75ac83f674865fe1f4dd3da02cb1cb1c5015b3df36d0d2416e6c6e2b
-
SHA512
d7292fff43cce2e04476c46aee050e965820af45c499d2b5e37dc9871d59ee48a5d87961cfe6e0ea7dfb37b40e00f0d3414f15f345640f82fbffe2b8e27d3fe7
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-