General
-
Target
fc2c0e10eb33d6950bf39aac41df2bc06e2d2ca75bb29213879612ee984261ba
-
Size
567KB
-
Sample
221126-3ycdrshe7v
-
MD5
856b2781f4516f51bd1fcfd5cc48820c
-
SHA1
213e249db7af4e1bf577231d699e4b61476d61ad
-
SHA256
fc2c0e10eb33d6950bf39aac41df2bc06e2d2ca75bb29213879612ee984261ba
-
SHA512
5e0d70ff2052671de1595eeb18e323a2e386568ffdee891fac18ad8d89d4f241daecdee80e097365c3fb2dd0b9d9aad567405db3116e6a272649fde5ecdcc76f
-
SSDEEP
12288:9Y20AljdZgBPfKf94AYl54pe6oMJC+hzX/QBZUa9D/cOSCN7YoPb:S20gPgFK14pl54pe6oMJC+pX/QB3D/cC
Static task
static1
Behavioral task
behavioral1
Sample
fc2c0e10eb33d6950bf39aac41df2bc06e2d2ca75bb29213879612ee984261ba.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fc2c0e10eb33d6950bf39aac41df2bc06e2d2ca75bb29213879612ee984261ba.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.adrive.com - Port:
21 - Username:
raziel7@mail2tor.com - Password:
Aress6666
Targets
-
-
Target
fc2c0e10eb33d6950bf39aac41df2bc06e2d2ca75bb29213879612ee984261ba
-
Size
567KB
-
MD5
856b2781f4516f51bd1fcfd5cc48820c
-
SHA1
213e249db7af4e1bf577231d699e4b61476d61ad
-
SHA256
fc2c0e10eb33d6950bf39aac41df2bc06e2d2ca75bb29213879612ee984261ba
-
SHA512
5e0d70ff2052671de1595eeb18e323a2e386568ffdee891fac18ad8d89d4f241daecdee80e097365c3fb2dd0b9d9aad567405db3116e6a272649fde5ecdcc76f
-
SSDEEP
12288:9Y20AljdZgBPfKf94AYl54pe6oMJC+hzX/QBZUa9D/cOSCN7YoPb:S20gPgFK14pl54pe6oMJC+pX/QB3D/cC
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-