General
-
Target
95af6a249a9448a6e346407efa3f61d778f35f20656ab232bbf436f20acfeb97
-
Size
507KB
-
Sample
221002-p2b1hsfef8
-
MD5
7a659d5ddb34a4ca7c09fa505ab96210
-
SHA1
acd4e72eb34b7bed81ffb20a9b55d0af2b13563d
-
SHA256
95af6a249a9448a6e346407efa3f61d778f35f20656ab232bbf436f20acfeb97
-
SHA512
1a01c43e9bc9258936b7f20927613f559c2aad20e030d55fccb84144bbc1c8be403cf8d8c36c1abc48795dc042bbc5d5a15e520a70c1c1f11e0f8a59db069f2d
-
SSDEEP
6144:kubS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9xioI:kuQtqB5urTIoYWBQk1E+VF9mOx9O
Static task
static1
Behavioral task
behavioral1
Sample
95af6a249a9448a6e346407efa3f61d778f35f20656ab232bbf436f20acfeb97.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
95af6a249a9448a6e346407efa3f61d778f35f20656ab232bbf436f20acfeb97.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.yahoo.com - Port:
587 - Username:
thomsver@yahoo.com - Password:
SetupNoob2012
Targets
-
-
Target
95af6a249a9448a6e346407efa3f61d778f35f20656ab232bbf436f20acfeb97
-
Size
507KB
-
MD5
7a659d5ddb34a4ca7c09fa505ab96210
-
SHA1
acd4e72eb34b7bed81ffb20a9b55d0af2b13563d
-
SHA256
95af6a249a9448a6e346407efa3f61d778f35f20656ab232bbf436f20acfeb97
-
SHA512
1a01c43e9bc9258936b7f20927613f559c2aad20e030d55fccb84144bbc1c8be403cf8d8c36c1abc48795dc042bbc5d5a15e520a70c1c1f11e0f8a59db069f2d
-
SSDEEP
6144:kubS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9xioI:kuQtqB5urTIoYWBQk1E+VF9mOx9O
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-