General
-
Target
payloads.7z
-
Size
4.3MB
-
Sample
221124-1lfvbaee4w
-
MD5
15cf3b0e76984199b371021d5b858200
-
SHA1
e4c37862729be6cd4cbe93df690fa94a8196416d
-
SHA256
f10ff26e4882c7eab600b372b29278374cda555f4da20b93d8d600a3222a59e2
-
SHA512
a81310823cfbf3e199a6b0b792c2f1092ead599f5c19193eadadfa6875471284c86c185a393f826fe330df4445d2a1e87c7f660e097847061c59dcb95e462fd9
-
SSDEEP
98304:TY73WCRyTcj5K0PzxUlI4LzonQZn3VYjzKF4TXCrwmbxMZ+m:FCRDjoQzw06nlGY8CMmbxMJ
Static task
static1
Behavioral task
behavioral1
Sample
payload.exe
Resource
win10v2004-20221111-en
Malware Config
Targets
-
-
Target
payload.exe.exe
-
Size
502KB
-
MD5
becb2f014c1cbebcad2e3b8388ce3040
-
SHA1
96eda53b2dce7058189589d79cdcc0c359de73b8
-
SHA256
db92de179132a3a9b1172d9cbb40f0720d8a24a1af416c77f15ffa44498ccf44
-
SHA512
a7201a2ff3a39d0cf47980454ddfa71572dc44ea454a1ad5280058eaeb9610194a710da127f6e5b02637f0a478106bf0c2d761d280ad59854e73ccfec6a00b27
-
SSDEEP
6144:rbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHj:rQtqB5urTIoYWBQk1E+VF9mOx9P
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
payload.exe_protected.exe
-
Size
4.1MB
-
MD5
6b09bdd2536034fd92a6566125d06395
-
SHA1
6f72dac783433b63d7cdac4897748052b24ce73d
-
SHA256
61eaf05d36fd2b921f67d4154dc4c7ef573572015a1b0aff1936a99644c2245d
-
SHA512
9925d988b9d9e066123ac86a33c57d6e1a41e412933aecb3a290c6f4f968b22956e1423fc8129799411e5a835ea5002c9458214d16c9af8924d809ec79a59186
-
SSDEEP
98304:Eff7JW0H4T0GbQ7wVUUOzR9qq5YaFgQacIQJaRDW8RG:OfL4T0Gb9U3NPhFgpcxJ8DO
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-