General
-
Target
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
-
Size
946KB
-
Sample
220707-2g7ynsgff7
-
MD5
21efe3eae8d1d7bd215efe3a1599f562
-
SHA1
d49c95098c0750985a2729c30f050c614ad263c9
-
SHA256
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
-
SHA512
1d922c9e5fe1070bd8c2ddb66758e028e7e6a63fdbb5fa89ca857eac72be2050615722491cea3be594cd8f8e8168bb6ffd26660b966afc04337a9369cfc309b3
Static task
static1
Behavioral task
behavioral1
Sample
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76.exe
Resource
win7-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
elb3r@yandex.com - Password:
adamssteve
Targets
-
-
Target
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
-
Size
946KB
-
MD5
21efe3eae8d1d7bd215efe3a1599f562
-
SHA1
d49c95098c0750985a2729c30f050c614ad263c9
-
SHA256
438b6a5acff79febaafb9d9ebf8183b95470d1c6bc1691f5d5aaf61f98d25a76
-
SHA512
1d922c9e5fe1070bd8c2ddb66758e028e7e6a63fdbb5fa89ca857eac72be2050615722491cea3be594cd8f8e8168bb6ffd26660b966afc04337a9369cfc309b3
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-