General
-
Target
3a2ad0bdeda7c25c8aab96d2d2c2475d4dcb46be7ba69e23b98ae0c8f75c4dbe
-
Size
1.0MB
-
Sample
220625-g9v5csbgc6
-
MD5
352c94d7274f0db55cc2a7de88d1a461
-
SHA1
1ef0e6adc7658520eda8da5044697615e77881f3
-
SHA256
3a2ad0bdeda7c25c8aab96d2d2c2475d4dcb46be7ba69e23b98ae0c8f75c4dbe
-
SHA512
61d6420c3f8ccef965a1425f7c3fd5d3961bf9c35c3ccea0903f1131d90728606d02249c3f7ecf214c9b2a20eb53be5a691dac8c737b7a7f7ffc2394595ff8b0
Static task
static1
Behavioral task
behavioral1
Sample
3a2ad0bdeda7c25c8aab96d2d2c2475d4dcb46be7ba69e23b98ae0c8f75c4dbe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3a2ad0bdeda7c25c8aab96d2d2c2475d4dcb46be7ba69e23b98ae0c8f75c4dbe.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
longwheelbase2018@yandex.com - Password:
myrecords1248
Targets
-
-
Target
3a2ad0bdeda7c25c8aab96d2d2c2475d4dcb46be7ba69e23b98ae0c8f75c4dbe
-
Size
1.0MB
-
MD5
352c94d7274f0db55cc2a7de88d1a461
-
SHA1
1ef0e6adc7658520eda8da5044697615e77881f3
-
SHA256
3a2ad0bdeda7c25c8aab96d2d2c2475d4dcb46be7ba69e23b98ae0c8f75c4dbe
-
SHA512
61d6420c3f8ccef965a1425f7c3fd5d3961bf9c35c3ccea0903f1131d90728606d02249c3f7ecf214c9b2a20eb53be5a691dac8c737b7a7f7ffc2394595ff8b0
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-