General
-
Target
3f3e40cc718ddba7c0e2ad51dcd64ef5d3f1a6f0e31f66e663c3a31e2d434522
-
Size
950KB
-
Sample
220701-cpy83aheg8
-
MD5
c62053e5f1a09b35fb6efc94929fc0da
-
SHA1
efdd44bc70dc0f5dd7dbc90eac7c1903062b4946
-
SHA256
3f3e40cc718ddba7c0e2ad51dcd64ef5d3f1a6f0e31f66e663c3a31e2d434522
-
SHA512
9936ea54cd13198104b3c0f1abf2060e3306fd3d549298a78dfaa270793cb72bb6807c3d3f6d2de831158f148a3da4ae56d879cbec572012c7a5b24a928868f0
Static task
static1
Behavioral task
behavioral1
Sample
3f3e40cc718ddba7c0e2ad51dcd64ef5d3f1a6f0e31f66e663c3a31e2d434522.exe
Resource
win7-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
slimguyslim@yandex.com - Password:
123slimguy123
Targets
-
-
Target
3f3e40cc718ddba7c0e2ad51dcd64ef5d3f1a6f0e31f66e663c3a31e2d434522
-
Size
950KB
-
MD5
c62053e5f1a09b35fb6efc94929fc0da
-
SHA1
efdd44bc70dc0f5dd7dbc90eac7c1903062b4946
-
SHA256
3f3e40cc718ddba7c0e2ad51dcd64ef5d3f1a6f0e31f66e663c3a31e2d434522
-
SHA512
9936ea54cd13198104b3c0f1abf2060e3306fd3d549298a78dfaa270793cb72bb6807c3d3f6d2de831158f148a3da4ae56d879cbec572012c7a5b24a928868f0
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-