General
-
Target
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
Size
599KB
-
Sample
220712-qehp8aecf9
-
MD5
fc749757fb4f8b8f4ba51ccd2e24d83e
-
SHA1
8e822fb513966cdddeab856cc865bd54e90acf2e
-
SHA256
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
SHA512
ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273
Static task
static1
Behavioral task
behavioral1
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.grefas.co.th - Port:
587 - Username:
rachane@grefas.co.th - Password:
Cream3040
Targets
-
-
Target
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
Size
599KB
-
MD5
fc749757fb4f8b8f4ba51ccd2e24d83e
-
SHA1
8e822fb513966cdddeab856cc865bd54e90acf2e
-
SHA256
4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
-
SHA512
ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273
-
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-