General
-
Target
409124e57a2ab5aaf134faccfc95c8a16cefc06fcce2ba0709b16a9d6c4f1249
-
Size
696KB
-
Sample
220708-tkdj8shbgn
-
MD5
e154ef52bf7c63d898c2873a525b8168
-
SHA1
b3afee77841d0ac7859ae0627df09ce2c7133f1b
-
SHA256
409124e57a2ab5aaf134faccfc95c8a16cefc06fcce2ba0709b16a9d6c4f1249
-
SHA512
0659977f7e4a4b49f30e9e8fcf3bac9365f997c40dc0d4653bc73fe2a665179ee15eb5c2e2d4477948bd05cb04e0ca9abe659072e46a197b981124812b1614bd
Static task
static1
Behavioral task
behavioral1
Sample
409124e57a2ab5aaf134faccfc95c8a16cefc06fcce2ba0709b16a9d6c4f1249.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
409124e57a2ab5aaf134faccfc95c8a16cefc06fcce2ba0709b16a9d6c4f1249.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
ns7.hadara.ps - Port:
587 - Username:
box@alnasserstone.com - Password:
qazxswqazxsw@123
Targets
-
-
Target
409124e57a2ab5aaf134faccfc95c8a16cefc06fcce2ba0709b16a9d6c4f1249
-
Size
696KB
-
MD5
e154ef52bf7c63d898c2873a525b8168
-
SHA1
b3afee77841d0ac7859ae0627df09ce2c7133f1b
-
SHA256
409124e57a2ab5aaf134faccfc95c8a16cefc06fcce2ba0709b16a9d6c4f1249
-
SHA512
0659977f7e4a4b49f30e9e8fcf3bac9365f997c40dc0d4653bc73fe2a665179ee15eb5c2e2d4477948bd05cb04e0ca9abe659072e46a197b981124812b1614bd
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-