General
-
Target
700e81c19ace1f5ef791ab99637579fc31da10c37887fc387251811040df8b0f
-
Size
658KB
-
Sample
221003-cw7h1sdghp
-
MD5
6a942024ac5389bc89fce80ac6e03362
-
SHA1
9302b1bc030660f68d19d790b0e8909de2f02f7a
-
SHA256
700e81c19ace1f5ef791ab99637579fc31da10c37887fc387251811040df8b0f
-
SHA512
f923da95dba7db71d1cc212604d68f9b6cea0803d41cc2e016441a84c76e00b7bd2d38c206c71b0be59f0a4e8dcbde62358e48da7e2cddc77223d9be0acd4b26
-
SSDEEP
12288:5lchplWuedqCEPMaXPkLjcGTtdjAmpQjkJaMAjTVUBXCM9OswCZaEsboqOGulgWR:3cZWljaX8LTtxAnjKQUtCM99wMaEKiGQ
Behavioral task
behavioral1
Sample
700e81c19ace1f5ef791ab99637579fc31da10c37887fc387251811040df8b0f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
700e81c19ace1f5ef791ab99637579fc31da10c37887fc387251811040df8b0f.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
allan_cash02@mail.ru - Password:
newyork555$$
Targets
-
-
Target
700e81c19ace1f5ef791ab99637579fc31da10c37887fc387251811040df8b0f
-
Size
658KB
-
MD5
6a942024ac5389bc89fce80ac6e03362
-
SHA1
9302b1bc030660f68d19d790b0e8909de2f02f7a
-
SHA256
700e81c19ace1f5ef791ab99637579fc31da10c37887fc387251811040df8b0f
-
SHA512
f923da95dba7db71d1cc212604d68f9b6cea0803d41cc2e016441a84c76e00b7bd2d38c206c71b0be59f0a4e8dcbde62358e48da7e2cddc77223d9be0acd4b26
-
SSDEEP
12288:5lchplWuedqCEPMaXPkLjcGTtdjAmpQjkJaMAjTVUBXCM9OswCZaEsboqOGulgWR:3cZWljaX8LTtxAnjKQUtCM99wMaEKiGQ
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-