General
-
Target
db51e1b36cbad762364d6cae97ff800599429cf290860df780ada545b945cffa
-
Size
563KB
-
Sample
221126-2zrdmsbf56
-
MD5
3075bdeee94a45f13afd727e1b0b79b8
-
SHA1
072295516f1477a96a590fbf8a6a61db8287f9a3
-
SHA256
db51e1b36cbad762364d6cae97ff800599429cf290860df780ada545b945cffa
-
SHA512
b37ee8e2c806855bfb69679aa23423c23d60a5c8b87120499836f31f94b8c126b90861f3b76e810f87de7c00344c36f61609828b8d897ad74a4e9d7ce5c574e0
-
SSDEEP
12288:lY20AljdZgBPfKfubAYl54pe6oMJxF2SIVEoB/xW6LecbjO4:a20gPgFKGbpl54pe6oMJxFRIVh/xW6L1
Static task
static1
Behavioral task
behavioral1
Sample
db51e1b36cbad762364d6cae97ff800599429cf290860df780ada545b945cffa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
db51e1b36cbad762364d6cae97ff800599429cf290860df780ada545b945cffa.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.adrive.com - Port:
21 - Username:
raziel7@mail2tor.com - Password:
Aress6666
Targets
-
-
Target
db51e1b36cbad762364d6cae97ff800599429cf290860df780ada545b945cffa
-
Size
563KB
-
MD5
3075bdeee94a45f13afd727e1b0b79b8
-
SHA1
072295516f1477a96a590fbf8a6a61db8287f9a3
-
SHA256
db51e1b36cbad762364d6cae97ff800599429cf290860df780ada545b945cffa
-
SHA512
b37ee8e2c806855bfb69679aa23423c23d60a5c8b87120499836f31f94b8c126b90861f3b76e810f87de7c00344c36f61609828b8d897ad74a4e9d7ce5c574e0
-
SSDEEP
12288:lY20AljdZgBPfKfubAYl54pe6oMJxF2SIVEoB/xW6LecbjO4:a20gPgFKGbpl54pe6oMJxFRIVh/xW6L1
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-