General
-
Target
bb4056d8f63803092604df62217fb3b5a56540bf6fe7540c81791aa64b359c0a
-
Size
1009KB
-
Sample
221126-2796qacc33
-
MD5
08d7f65437065192b95f43d9faf0be20
-
SHA1
13c4e419afa56d46413116810ab30aeb0b30827c
-
SHA256
bb4056d8f63803092604df62217fb3b5a56540bf6fe7540c81791aa64b359c0a
-
SHA512
8a2daec3c9ec2014300462ed86f99f862531aa0338d1a32a377b2921417f481e2dfaf503823acd4d614373569b43204da495db37e68d7177eb82658bedb70f9f
-
SSDEEP
12288:f/pRdx93nv2gqXFOszj4PDf+hCXUbcNkAFLBJPKdOdA9VuN:f/pRj93nu5FOsfTk+A/JKOK
Static task
static1
Behavioral task
behavioral1
Sample
bb4056d8f63803092604df62217fb3b5a56540bf6fe7540c81791aa64b359c0a.exe
Resource
win7-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
worksave1013@gmail.com - Password:
justdoit50
Targets
-
-
Target
bb4056d8f63803092604df62217fb3b5a56540bf6fe7540c81791aa64b359c0a
-
Size
1009KB
-
MD5
08d7f65437065192b95f43d9faf0be20
-
SHA1
13c4e419afa56d46413116810ab30aeb0b30827c
-
SHA256
bb4056d8f63803092604df62217fb3b5a56540bf6fe7540c81791aa64b359c0a
-
SHA512
8a2daec3c9ec2014300462ed86f99f862531aa0338d1a32a377b2921417f481e2dfaf503823acd4d614373569b43204da495db37e68d7177eb82658bedb70f9f
-
SSDEEP
12288:f/pRdx93nv2gqXFOszj4PDf+hCXUbcNkAFLBJPKdOdA9VuN:f/pRj93nu5FOsfTk+A/JKOK
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-