a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14

General

Target

a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe
Size

735KB
MD5

87810746b38da07be350a85069cbb871
SHA1

2f8a012c3573e41ece125bb606c9aba77754baee
SHA256

a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14
SHA512

f6c46294357c25b31893ce8921a14c5faea0cbd4e7a316c9ac4f9a4d76533f2afc48b6cacbc31b6f28fa96367af908a003309b85f6abf1d27c5befe8cad69a19

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3612-146-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3612-148-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3612-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4616-139-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4616-141-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4616-142-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4616-143-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/4616-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4616-141-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4616-142-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4616-143-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3612-146-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3612-148-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3612-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3112 set thread context of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3116 set thread context of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 set thread context of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
4616	vbc.exe
3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe
3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3112 wrote to memory of 3116	3112	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	84
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 4616	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	85
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86
PID 3116 wrote to memory of 3612	3116	a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe	86

C:\Users\Admin\AppData\Local\Temp\a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe
"C:\Users\Admin\AppData\Local\Temp\a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe
  "C:\Users\Admin\AppData\Local\Temp\a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDB0E.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4616
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE010.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a97fc5992aa5bdfa1e9ec665a4e3c1702ce5bca09017698f519ccbd252ea0e14.exe.log

Filesize
405B

MD5
bb02d2315b8c3d46390cc8852c350909

SHA1
c7eb57165fb7be0cec9a282a56449d35a3e39a53

SHA256
6b04fbf03b5064dc32c8cbc7e5f125339ca297622487ed4269da381fa50b7290

SHA512
e395ec8866c9ba864bd59bfb84a88538a053740d66e2fa83926597b2e4b357a55f794c5b39c5ae43353f4debc865ec6b4c60494da32a10e643582b6ae130d080

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB0E.tmp

Filesize
4KB

MD5
a64ef19cb7924d0ef7b27699e0237041

SHA1
b6392aa8451f0721fcadff793808f8630182e66e

SHA256
66635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56

SHA512
66f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b

Download Submit
memory/3112-135-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3112-131-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3112-130-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3116-137-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3116-136-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3612-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3612-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3612-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4616-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4616-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4616-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4616-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing