General
-
Target
787f22236258b0a5afdb8106af6e584f09df31e493e8ae0793250e00df62aa8c
-
Size
502KB
-
Sample
221124-3h299aff27
-
MD5
7a6d2ae925ccae9dc1dd94afe1ac508a
-
SHA1
18c9d67b20d8263bfafef5a7d60e571e08586a0b
-
SHA256
787f22236258b0a5afdb8106af6e584f09df31e493e8ae0793250e00df62aa8c
-
SHA512
8006d6e28252edd7211977302175fc1a955938fe4858e7bfb03ee7621c7465d70cf71b10e23a1cd9e8267092365cee6ff1de09ec3422433bc6ec3d8b4781784e
-
SSDEEP
6144:RrLbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9bHZ:RrLQtqB5urTIoYWBQk1E+VF9mOx9F
Static task
static1
Behavioral task
behavioral1
Sample
787f22236258b0a5afdb8106af6e584f09df31e493e8ae0793250e00df62aa8c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
787f22236258b0a5afdb8106af6e584f09df31e493e8ae0793250e00df62aa8c.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
787f22236258b0a5afdb8106af6e584f09df31e493e8ae0793250e00df62aa8c
-
Size
502KB
-
MD5
7a6d2ae925ccae9dc1dd94afe1ac508a
-
SHA1
18c9d67b20d8263bfafef5a7d60e571e08586a0b
-
SHA256
787f22236258b0a5afdb8106af6e584f09df31e493e8ae0793250e00df62aa8c
-
SHA512
8006d6e28252edd7211977302175fc1a955938fe4858e7bfb03ee7621c7465d70cf71b10e23a1cd9e8267092365cee6ff1de09ec3422433bc6ec3d8b4781784e
-
SSDEEP
6144:RrLbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9bHZ:RrLQtqB5urTIoYWBQk1E+VF9mOx9F
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-