7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249 | Triage

Submit
Reports

Overview

overview

9

Static

static

7c5e515b7c...49.exe

windows7-x64

9

7c5e515b7c...49.exe

windows10-2004-x64

9

Sharing

General

Target

7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249
Size

1.4MB
Sample

221126-ej95gsaf46
MD5

03685a67bd1e27a58c17c5826ca70a2d
SHA1

b9cfca64b398e42677130302d1e8a88b364e5165
SHA256

7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249
SHA512

f929db1f711b1a641df4d49a0f1be9416fbb10263d3724e1845666ba1f0031a1bc30c7255adaf7fafbafd998e019f71fab33b267716fc9632ef1815b61e0be6b
SSDEEP

24576:oNBIy/15hzjen1emZ7yEFJu68GGUEtUMefQMmNoM:JyN/ckw7NFw68MMPOM

Score

9^/10

collection evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249.exe

Resource

win7-20220812-en

collection evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249.exe

Resource

win10v2004-20220812-en

collection evasion persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249
- Size
  
  1.4MB
- MD5
  
  03685a67bd1e27a58c17c5826ca70a2d
- SHA1
  
  b9cfca64b398e42677130302d1e8a88b364e5165
- SHA256
  
  7c5e515b7ca107a1e72c366a89c6e18f49f7a67c3e1c2721d79bb7907a5a5249
- SHA512
  
  f929db1f711b1a641df4d49a0f1be9416fbb10263d3724e1845666ba1f0031a1bc30c7255adaf7fafbafd998e019f71fab33b267716fc9632ef1815b61e0be6b
- SSDEEP
  
  24576:oNBIy/15hzjen1emZ7yEFJu68GGUEtUMefQMmNoM:JyN/ckw7NFw68MMPOM
Score

9^/10

collection evasion persistence trojan
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

collectionevasionpersistencetrojan

behavioral2

collectionevasionpersistencetrojan

© 2018-2024

Terms | Privacy