1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f | Triage

Submit
Reports

Overview

overview

Static

static

1bb23fb612...0f.exe

windows7-x64

1bb23fb612...0f.exe

windows10-2004-x64

Sharing

General

Target

1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f
Size

622KB
Sample

221123-r8d5kadf4z
MD5

49bf94707e8c8f9bd40e617165be5b52
SHA1

f4f5b6cd9c87acd6619ee76e4c0ac388583ff7c5
SHA256

1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f
SHA512

a0090c396c230f7c51b53e4b947556f26e887e1ea186e0c076ab840fc633db4697c947d8950a2aa3ec54717b88b12ade4f43538cd2fed9144d431c7e65a2221b
SSDEEP

12288:A8w7gYZ4+Rutkdy2oqvdT406LGrkGE4Qiujc+zNNZcy:tw7pXktkHT40BFE77FzKy

Score

10^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f.exe

Resource

win7-20221111-en

collection persistence spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f.exe

Resource

win10v2004-20220812-en

collection persistence spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
glfjdvzcsbfwvmtr

Targets

- Target
  
  1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f
- Size
  
  622KB
- MD5
  
  49bf94707e8c8f9bd40e617165be5b52
- SHA1
  
  f4f5b6cd9c87acd6619ee76e4c0ac388583ff7c5
- SHA256
  
  1bb23fb612b0e226c7c5ef11bba8967cf997fd11d33cffcd68ffdba2733efa0f
- SHA512
  
  a0090c396c230f7c51b53e4b947556f26e887e1ea186e0c076ab840fc633db4697c947d8950a2aa3ec54717b88b12ade4f43538cd2fed9144d431c7e65a2221b
- SSDEEP
  
  12288:A8w7gYZ4+Rutkdy2oqvdT406LGrkGE4Qiujc+zNNZcy:tw7pXktkHT40BFE77FzKy
Score

10^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

collectionpersistencespywarestealer

© 2018-2024

Terms | Privacy