88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9 | Triage

Submit
Reports

Overview

overview

Static

static

88595e9291...f9.exe

windows7-x64

88595e9291...f9.exe

windows10-2004-x64

Sharing

General

Target

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9
Size

595KB
Sample

221124-2nv8fsha21
MD5

22fa3f044edf21da1808efd9138727d2
SHA1

f66f70f4763a9d0dd2ebd0803d2f46d691a338fb
SHA256

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9
SHA512

19f904d86aac592b1edca4b257c292ed78de219c5007564eb74e587a8d1f0c1de7f2f3a47629445cddb6375cfd2c4e90bea019baadb4b5bb87279b2d52f89f78
SSDEEP

12288:QtmXjD9Ye5veJVJPbCjXr2CIjfcXL88WOouNyg1kXGLb:QtmX2bJj+j72ffEPWOPwub

Score

10^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe

Resource

win7-20221111-en

collection persistence spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe

Resource

win10v2004-20220901-en

persistence spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
ejcmrquuosqeqgpx

Targets

- Target
  
  88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9
- Size
  
  595KB
- MD5
  
  22fa3f044edf21da1808efd9138727d2
- SHA1
  
  f66f70f4763a9d0dd2ebd0803d2f46d691a338fb
- SHA256
  
  88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9
- SHA512
  
  19f904d86aac592b1edca4b257c292ed78de219c5007564eb74e587a8d1f0c1de7f2f3a47629445cddb6375cfd2c4e90bea019baadb4b5bb87279b2d52f89f78
- SSDEEP
  
  12288:QtmXjD9Ye5veJVJPbCjXr2CIjfcXL88WOouNyg1kXGLb:QtmX2bJj+j72ffEPWOPwub
Score

10^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

persistencespywarestealer

© 2018-2024

Terms | Privacy