General
-
Target
c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
-
Size
444KB
-
Sample
221125-3nca1sfb87
-
MD5
ba909b63397276ff6c03199363842783
-
SHA1
8170a737992c9af18061039fe0382e1ace496a55
-
SHA256
c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
-
SHA512
4154efa8d63b3b548c1f9209c7c48e6afe55995740c86db88b15c5974e5dd555f25a80041ef028fed13f505b9db8e8e5bb36e5c2323f3227774317aa59448e5d
-
SSDEEP
6144:M3r4LiHSp+kTgELBy8rjUSwd2jDzrGkHihOLV/IYwXFMwY2JqUaQO1uLuzjMqeD:MbNyp+OLB52WzWOL2YSNJq4uquzjPeD
Static task
static1
Behavioral task
behavioral1
Sample
c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6.exe
Resource
win10v2004-20221111-en
Malware Config
Targets
-
-
Target
c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
-
Size
444KB
-
MD5
ba909b63397276ff6c03199363842783
-
SHA1
8170a737992c9af18061039fe0382e1ace496a55
-
SHA256
c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
-
SHA512
4154efa8d63b3b548c1f9209c7c48e6afe55995740c86db88b15c5974e5dd555f25a80041ef028fed13f505b9db8e8e5bb36e5c2323f3227774317aa59448e5d
-
SSDEEP
6144:M3r4LiHSp+kTgELBy8rjUSwd2jDzrGkHihOLV/IYwXFMwY2JqUaQO1uLuzjMqeD:MbNyp+OLB52WzWOL2YSNJq4uquzjPeD
Score9/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-