ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105 | Triage

Submit
Reports

Overview

overview

Static

static

ac6e643d7a...05.exe

windows7-x64

ac6e643d7a...05.exe

windows10-2004-x64

Sharing

General

Target

ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105
Size

756KB
Sample

221003-a6y9aahef9
MD5

3ebe850377e3258d0b8f63e2d2f1cb30
SHA1

0a93afbf0a1684c140e159dcda1f1b7336501d59
SHA256

ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105
SHA512

22ff7581945abed82b22428276bc1a0e9fb96f5b854b4651a8a7ad0321c6c70787134056ce4181c4cd0f299944b4a7a2cb3736966d566b4937777c8a7929298e
SSDEEP

12288:I3qBtw2tZ/gDOiWzZx8U9tzLqUTODF/9hKBycUzGpgvFtb7lgZ:I3qLptZIAkoh4ZnHTSZ

Score

10^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105.exe

Resource

win7-20220812-en

collection persistence spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105.exe

Resource

win10v2004-20220812-en

collection persistence spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
danologa2@gmail.com
Password:
gzccetvqpmnidjbp

Extracted

Credentials

Protocol: ftp
Host:
ftp.freehostia.com
Port:
21
Username:
danlog908
Password:
dan123

Targets

- Target
  
  ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105
- Size
  
  756KB
- MD5
  
  3ebe850377e3258d0b8f63e2d2f1cb30
- SHA1
  
  0a93afbf0a1684c140e159dcda1f1b7336501d59
- SHA256
  
  ac6e643d7a21b7bdc79a749aabc30d7c54fc02e08a7a6a40ce71d472e3611105
- SHA512
  
  22ff7581945abed82b22428276bc1a0e9fb96f5b854b4651a8a7ad0321c6c70787134056ce4181c4cd0f299944b4a7a2cb3736966d566b4937777c8a7929298e
- SSDEEP
  
  12288:I3qBtw2tZ/gDOiWzZx8U9tzLqUTODF/9hKBycUzGpgvFtb7lgZ:I3qLptZIAkoh4ZnHTSZ
Score

10^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

collectionpersistencespywarestealer

© 2018-2024

Terms | Privacy