General
-
Target
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
-
Size
5.6MB
-
Sample
220724-hbq87aagcr
-
MD5
80a0a3da2f9717c0532cc760b1e7f746
-
SHA1
999e1bd2c3947f898d21572c2c360de72232ef09
-
SHA256
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
-
SHA512
4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
Behavioral task
behavioral1
Sample
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
Resource
win7-20220718-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
hklgs@vivaldi.net - Password:
nAMkXP8FUGvSc3wjPCKF
Targets
-
-
Target
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
-
Size
5.6MB
-
MD5
80a0a3da2f9717c0532cc760b1e7f746
-
SHA1
999e1bd2c3947f898d21572c2c360de72232ef09
-
SHA256
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
-
SHA512
4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-