f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672 | Triage

Submit
Reports

Overview

overview

Static

static

f350e71fff...72.exe

windows7-x64

f350e71fff...72.exe

windows10-2004-x64

Sharing

General

Target

f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672
Size

972KB
Sample

221123-wmtekscd73
MD5

4c41324bb4e65eb62a2b817c69a5a86d
SHA1

8b52e1cf9c56c75f5492015c4d08f62fcc8849df
SHA256

f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672
SHA512

f8c8951404556dbbbf05aa039686c0d7de0340a336210ea66b63a3def514c60aa6805accff8094556a312f4174ddc7c642b514dc579ce09fe1c4a2031e03c538
SSDEEP

12288:Lv1H9GM9a/rHC60G4T/+CRz9hBXtB8kPC9xrOMe7BG/MEEbbt27QkMQAp0R/QCAH:LvJ45/2XG4hXXnSadaruwddZvGcfN/vw

Score

10^/10

persistence phishing spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672.exe

Resource

win7-20220812-en

phishing spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672.exe

Resource

win10v2004-20220812-en

persistence phishing spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
talnah0515

Targets

- Target
  
  f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672
- Size
  
  972KB
- MD5
  
  4c41324bb4e65eb62a2b817c69a5a86d
- SHA1
  
  8b52e1cf9c56c75f5492015c4d08f62fcc8849df
- SHA256
  
  f350e71fff2a223af991bf9371765ba8ce081971316f1cff2b1a1f3d8c1fe672
- SHA512
  
  f8c8951404556dbbbf05aa039686c0d7de0340a336210ea66b63a3def514c60aa6805accff8094556a312f4174ddc7c642b514dc579ce09fe1c4a2031e03c538
- SSDEEP
  
  12288:Lv1H9GM9a/rHC60G4T/+CRz9hBXtB8kPC9xrOMe7BG/MEEbbt27QkMQAp0R/QCAH:LvJ45/2XG4hXXnSadaruwddZvGcfN/vw
Score

10^/10

phishing spyware stealer persistence
- Detected phishing page
  phishing
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

phishingspywarestealer

behavioral2

persistencephishingspywarestealer

© 2018-2024

Terms | Privacy