General
-
Target
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
-
Size
503KB
-
Sample
221123-wm61nsfd51
-
MD5
71d29fb4a68ef4553d6452388c6e158a
-
SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7
-
SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
-
SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
SSDEEP
12288:luqP9L79Hef1kBVvRhQePRPN9qmNuetx:lu0lefEVbHPRPqE/tx
Static task
static1
Behavioral task
behavioral1
Sample
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
Resource
win7-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
bruda00
Targets
-
-
Target
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
-
Size
503KB
-
MD5
71d29fb4a68ef4553d6452388c6e158a
-
SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7
-
SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
-
SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
SSDEEP
12288:luqP9L79Hef1kBVvRhQePRPN9qmNuetx:lu0lefEVbHPRPqE/tx
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-