General
-
Target
3632593f89fb388070390bd7010a8b450e9d1e9d1b496941466a0677f1abd344
-
Size
74KB
-
Sample
221126-fgfcrsch68
-
MD5
ecb053003e003910fb323ba3ae3a0cc2
-
SHA1
16588050f0d332182619cabeae9eae086e1439c8
-
SHA256
3632593f89fb388070390bd7010a8b450e9d1e9d1b496941466a0677f1abd344
-
SHA512
3a18a0ea222c56814cdfc5c13406b11c82ba1c6f2bf4fe54c1bcf25ab02436d4d4a6ffa9933ef13f63012c3d31e2e9f5e1edc9f616ddba10834639766b311ba6
-
SSDEEP
1536:khOSTHSeVBC2MTzkfgsRRpraixzq6NCsnlEQXcNzUUSXZj:khrHS+BCB+gsrHFvJlCNYDZj
Static task
static1
Behavioral task
behavioral1
Sample
BL_PL_&_INVOICE_PDF.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
BL_PL_&_INVOICE_PDF.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
pony
http://d-mmoney.favcc1.com/gate.php
-
payload_url
http://d-mmoney.favcc1.com/shit.exe
Targets
-
-
Target
BL_PL_&_INVOICE_PDF.exe
-
Size
134KB
-
MD5
0e087a29f6694524e66020d9454ccdb9
-
SHA1
10e5050f1975938399827be5dab35e5d01cb0c89
-
SHA256
eb51fa64e6d1687abdd2e0ee8a0d49468ab2879007c094e3b351f505fff09e0c
-
SHA512
9e9c8bb4c3c577a41d930356c8b2d0a9eba0f0692b7e654053b2af478471c1b36db78cd33d2d5b800e661d5a5752e53448fbd299bdc670da5091e704ec10a1af
-
SSDEEP
3072:LlMyoAdZDhDOdtgXwDEi5xZgrdkkeRQHadg/wb:pvomDhi8wgiXZgrulk/
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-