General
-
Target
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f
-
Size
912KB
-
Sample
220724-b5ghhsadcp
-
MD5
598843804e5c6c64eba09b9cd08bfd9d
-
SHA1
213f93a0b4c73e5b8368e375dd0e89b053f9bcf5
-
SHA256
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f
-
SHA512
0538d5c57ed42976b037bcfad36e42fe13b3aa98a57b7dd0b32006b0d589a72c48fc05daba12a11358a42dd86d9ceccca22b38e9bcad9c0a728c72a303e68046
Static task
static1
Behavioral task
behavioral1
Sample
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
hklgs@vivaldi.net - Password:
nAMkXP8FUGvSc3wjPCKF
Targets
-
-
Target
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f
-
Size
912KB
-
MD5
598843804e5c6c64eba09b9cd08bfd9d
-
SHA1
213f93a0b4c73e5b8368e375dd0e89b053f9bcf5
-
SHA256
5a26755f58c6941b7a271ff806ede5fc2a952b575187643ecddecb40becc478f
-
SHA512
0538d5c57ed42976b037bcfad36e42fe13b3aa98a57b7dd0b32006b0d589a72c48fc05daba12a11358a42dd86d9ceccca22b38e9bcad9c0a728c72a303e68046
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-