General
-
Target
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
-
Size
1.1MB
-
Sample
221125-zrlr3shd8v
-
MD5
f318e540a01cf649bbb1640c81c55c94
-
SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93
-
SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
-
SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
SSDEEP
24576:X6blI9AqgZh+D3vspAANvVp2OrHtKuzNwiTIV3teph6ar+:X6bK91eh+D0pFBKOn8lwph6ay
Static task
static1
Behavioral task
behavioral1
Sample
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
drlwjrdttnageixp
Targets
-
-
Target
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
-
Size
1.1MB
-
MD5
f318e540a01cf649bbb1640c81c55c94
-
SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93
-
SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
-
SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
-
SSDEEP
24576:X6blI9AqgZh+D3vspAANvVp2OrHtKuzNwiTIV3teph6ar+:X6bK91eh+D0pFBKOn8lwph6ay
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-