General
-
Target
3c193d2349a6a0f650e5084d4bc132d7c4d3401a044ab1c4b27886f54819aab1
-
Size
1.3MB
-
Sample
220703-kh9p8accaq
-
MD5
0bd383c4db2cbebccc9581e314596849
-
SHA1
9776ed305ed2473ddd4de935d19123bb0984f28b
-
SHA256
3c193d2349a6a0f650e5084d4bc132d7c4d3401a044ab1c4b27886f54819aab1
-
SHA512
061d3d70f43ecf76307071cd282a8cd2ab0538c39c67f3df40a5c7ef351a0a5ed06e14949e6799e89183c470306421db7f959d4d67ebabeabea17a1888f00656
Static task
static1
Behavioral task
behavioral1
Sample
3c193d2349a6a0f650e5084d4bc132d7c4d3401a044ab1c4b27886f54819aab1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c193d2349a6a0f650e5084d4bc132d7c4d3401a044ab1c4b27886f54819aab1.exe
Resource
win10v2004-20220414-en
Malware Config
Targets
-
-
Target
3c193d2349a6a0f650e5084d4bc132d7c4d3401a044ab1c4b27886f54819aab1
-
Size
1.3MB
-
MD5
0bd383c4db2cbebccc9581e314596849
-
SHA1
9776ed305ed2473ddd4de935d19123bb0984f28b
-
SHA256
3c193d2349a6a0f650e5084d4bc132d7c4d3401a044ab1c4b27886f54819aab1
-
SHA512
061d3d70f43ecf76307071cd282a8cd2ab0538c39c67f3df40a5c7ef351a0a5ed06e14949e6799e89183c470306421db7f959d4d67ebabeabea17a1888f00656
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-