General
-
Target
650f4987603ce4942541cd35da39acdb78b6847f4f53feb524b8933d0600a168
-
Size
1.5MB
-
Sample
221123-xfpngseh45
-
MD5
a65176552cb892c860debbb6c1717fd1
-
SHA1
7863ec4a7e103847ed0b6a781b16c9f1e1011fa6
-
SHA256
650f4987603ce4942541cd35da39acdb78b6847f4f53feb524b8933d0600a168
-
SHA512
dd4d5ba91a7d0a8cc3e9f4cc22bfcc4969ed7db4b3863a7d8faf89159316ab30b71550402d16646e1224cd9b3046c2a9f65fde76c2cbec7e0e9eabe446f086fa
-
SSDEEP
24576:R4lavt0LkLL9IMixoEgealDIvYVMsSWNAsBvOT7SE00uy/Zwq9MmCS:gkwkn9IMHealDmYVDSWNRBGHEQOaPCS
Malware Config
Targets
-
-
Target
650f4987603ce4942541cd35da39acdb78b6847f4f53feb524b8933d0600a168
-
Size
1.5MB
-
MD5
a65176552cb892c860debbb6c1717fd1
-
SHA1
7863ec4a7e103847ed0b6a781b16c9f1e1011fa6
-
SHA256
650f4987603ce4942541cd35da39acdb78b6847f4f53feb524b8933d0600a168
-
SHA512
dd4d5ba91a7d0a8cc3e9f4cc22bfcc4969ed7db4b3863a7d8faf89159316ab30b71550402d16646e1224cd9b3046c2a9f65fde76c2cbec7e0e9eabe446f086fa
-
SSDEEP
24576:R4lavt0LkLL9IMixoEgealDIvYVMsSWNAsBvOT7SE00uy/Zwq9MmCS:gkwkn9IMHealDmYVDSWNRBGHEQOaPCS
Score9/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-