General
-
Target
6f2c978fe1e0f096fa82d0fc8ac4a14975ae2b3e0cb2b769474e0ea20ee6f0c2
-
Size
946KB
-
Sample
220724-x9fmnsdff6
-
MD5
f7e8bc8ce5a1764b9abfa76d114b35a3
-
SHA1
f955fa29e17ae49cde296c4385bfb131fdf141c1
-
SHA256
6f2c978fe1e0f096fa82d0fc8ac4a14975ae2b3e0cb2b769474e0ea20ee6f0c2
-
SHA512
1e25c3ebdf9b41da72f16254ee3756ecbe32cdffbc02cfba59f0a54f9dffbf23fdc5e07d9ed7dd229fa016d20172ebaffc5fee5d975b191ed574d8827c22b77e
Static task
static1
Behavioral task
behavioral1
Sample
6f2c978fe1e0f096fa82d0fc8ac4a14975ae2b3e0cb2b769474e0ea20ee6f0c2.exe
Resource
win7-20220715-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
han.white101@yandex.com - Password:
qwerty67890
Targets
-
-
Target
6f2c978fe1e0f096fa82d0fc8ac4a14975ae2b3e0cb2b769474e0ea20ee6f0c2
-
Size
946KB
-
MD5
f7e8bc8ce5a1764b9abfa76d114b35a3
-
SHA1
f955fa29e17ae49cde296c4385bfb131fdf141c1
-
SHA256
6f2c978fe1e0f096fa82d0fc8ac4a14975ae2b3e0cb2b769474e0ea20ee6f0c2
-
SHA512
1e25c3ebdf9b41da72f16254ee3756ecbe32cdffbc02cfba59f0a54f9dffbf23fdc5e07d9ed7dd229fa016d20172ebaffc5fee5d975b191ed574d8827c22b77e
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-