General
-
Target
3c8693f5041bb1b773ecbf07351976ada959186f5c4e7c341a11dc8c181f3304
-
Size
527KB
-
Sample
220703-hzwtkshhhq
-
MD5
c2b27de81c50ed99cb916a0485254bbd
-
SHA1
fb32e5af21e671af182251e88d664e73a0afa491
-
SHA256
3c8693f5041bb1b773ecbf07351976ada959186f5c4e7c341a11dc8c181f3304
-
SHA512
d9fe576691ca5c5af94e5b0d488e07ca19a84a482ebe206fea6d3f3c6646b44857bbbbc3bada3958e123698558c28d7b27ea7a4ad8540334773b365fe7a7a536
Static task
static1
Behavioral task
behavioral1
Sample
(PDF) PO&Invoice For your Confirmation..........pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
(PDF) PO&Invoice For your Confirmation..........pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
tlogs.log@yandex.com - Password:
trust147
Targets
-
-
Target
(PDF) PO&Invoice For your Confirmation..........pdf.exe
-
Size
950KB
-
MD5
04d9a0e3c67732c01698af3902d2c3c6
-
SHA1
dc1d397df18195cd06fdc3b174b2258410cbe162
-
SHA256
b369be9337627cace4709477e4969c462ce26f7b9b73ab9c47d29a5efa0f9602
-
SHA512
28d1a3a65e24439b3dd33b2c2265d88d8ec0732fffd201dd1c9b73d5e6384cd463c3b38dc5e64562e498ddeaa125e58b6caefff54064d48bc3f0cf2a37954ada
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-