General
-
Target
3bef58fef596df43e5b3ca9da3615fb32b211684a86cce0a9948fb39da456bd7
-
Size
942KB
-
Sample
220703-k4rfrsfch2
-
MD5
8c83a4dd0844ec6f31761656276cd6dc
-
SHA1
ae6f4465021b0f63b78835f7fa03a22d2fd856b5
-
SHA256
3bef58fef596df43e5b3ca9da3615fb32b211684a86cce0a9948fb39da456bd7
-
SHA512
f50f7c33830ba561276d02db9edd33cbde85850379f24b456b69a3d100354a9d64623a2e0535e782444f8f71b19da7c4245f4cebe4146383afc7d10dd8ecd1c0
Static task
static1
Behavioral task
behavioral1
Sample
3bef58fef596df43e5b3ca9da3615fb32b211684a86cce0a9948fb39da456bd7.exe
Resource
win7-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
billionkilos@yandex.com - Password:
billion123
Targets
-
-
Target
3bef58fef596df43e5b3ca9da3615fb32b211684a86cce0a9948fb39da456bd7
-
Size
942KB
-
MD5
8c83a4dd0844ec6f31761656276cd6dc
-
SHA1
ae6f4465021b0f63b78835f7fa03a22d2fd856b5
-
SHA256
3bef58fef596df43e5b3ca9da3615fb32b211684a86cce0a9948fb39da456bd7
-
SHA512
f50f7c33830ba561276d02db9edd33cbde85850379f24b456b69a3d100354a9d64623a2e0535e782444f8f71b19da7c4245f4cebe4146383afc7d10dd8ecd1c0
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-