General
-
Target
04dea7258cb2226ed229774ea6d175dcf4663d12339518e59722e8bd937191aa
-
Size
2.1MB
-
Sample
221126-assvcacg2t
-
MD5
bc69018ea6d36b55d8f7b07aaeb93a19
-
SHA1
5d48023a9d9a8216cd94cf6b6f538bb690734f87
-
SHA256
04dea7258cb2226ed229774ea6d175dcf4663d12339518e59722e8bd937191aa
-
SHA512
9f76da54d02631917fd4495b1b41c9a9edfe7c961125fef3f7d9e5a0f289a2146bba9c47f9682a202b364bdea24b58d93083ed70b55ece403b36002e201a2eef
-
SSDEEP
49152:klrJu25iOVN91IXwyJaugzicnTlMMvJ3y77jZiF8fD+PPc:I4s9OvaFzim+c07/8miPU
Static task
static1
Behavioral task
behavioral1
Sample
04dea7258cb2226ed229774ea6d175dcf4663d12339518e59722e8bd937191aa.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
04dea7258cb2226ed229774ea6d175dcf4663d12339518e59722e8bd937191aa.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
kingofkings1234
Targets
-
-
Target
04dea7258cb2226ed229774ea6d175dcf4663d12339518e59722e8bd937191aa
-
Size
2.1MB
-
MD5
bc69018ea6d36b55d8f7b07aaeb93a19
-
SHA1
5d48023a9d9a8216cd94cf6b6f538bb690734f87
-
SHA256
04dea7258cb2226ed229774ea6d175dcf4663d12339518e59722e8bd937191aa
-
SHA512
9f76da54d02631917fd4495b1b41c9a9edfe7c961125fef3f7d9e5a0f289a2146bba9c47f9682a202b364bdea24b58d93083ed70b55ece403b36002e201a2eef
-
SSDEEP
49152:klrJu25iOVN91IXwyJaugzicnTlMMvJ3y77jZiF8fD+PPc:I4s9OvaFzim+c07/8miPU
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-