General

  • Target

    549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

  • Size

    608KB

  • Sample

    220725-xdv3gsefaq

  • MD5

    41ef837433847acf45cee2c98b32afb4

  • SHA1

    538892e2ee5b53da1ec8410889aec16f7cba98be

  • SHA256

    549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

  • SHA512

    c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

Score
9/10

Malware Config

Targets

    • Target

      549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

    • Size

      608KB

    • MD5

      41ef837433847acf45cee2c98b32afb4

    • SHA1

      538892e2ee5b53da1ec8410889aec16f7cba98be

    • SHA256

      549eff7aa00eb51802988e887308d41e895d287e950c1744eafb1ecc587c0d75

    • SHA512

      c01904daec1f8ca4114e3ed6daddbe45a891ec3f88568bc875dd6c85a910b20749262f31eb8ffb910e25947e06499d808c8c5a674ef5e5989260949e84c2509b

    Score
    9/10
    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks