General
-
Target
a67e0117dfad39520598f9a0c6528026e6a009a3277fa5d2fbdcbf3dbc240c94
-
Size
1.8MB
-
Sample
220724-sf27csgcgj
-
MD5
c8f51de2fa94ef8c2343373af4eae8b8
-
SHA1
9897502fb11a729fc629ba8950dcf3eb6af75b31
-
SHA256
a67e0117dfad39520598f9a0c6528026e6a009a3277fa5d2fbdcbf3dbc240c94
-
SHA512
1a3497deb07eeedf294e4795905daacfbee60b2d86f6511d8504cc22b33229f55e2b84a2bf123127524b9cd8dcef598f2e79c9a0e500d2fe410db96369c2c3ae
Static task
static1
Behavioral task
behavioral1
Sample
a67e0117dfad39520598f9a0c6528026e6a009a3277fa5d2fbdcbf3dbc240c94.exe
Resource
win7-20220715-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.shams.iq - Port:
587 - Username:
ceo@shams.iq - Password:
Cc#@123@321
Targets
-
-
Target
a67e0117dfad39520598f9a0c6528026e6a009a3277fa5d2fbdcbf3dbc240c94
-
Size
1.8MB
-
MD5
c8f51de2fa94ef8c2343373af4eae8b8
-
SHA1
9897502fb11a729fc629ba8950dcf3eb6af75b31
-
SHA256
a67e0117dfad39520598f9a0c6528026e6a009a3277fa5d2fbdcbf3dbc240c94
-
SHA512
1a3497deb07eeedf294e4795905daacfbee60b2d86f6511d8504cc22b33229f55e2b84a2bf123127524b9cd8dcef598f2e79c9a0e500d2fe410db96369c2c3ae
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-