General
-
Target
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c
-
Size
1.5MB
-
Sample
221126-ra56dscd5z
-
MD5
4dd205752e9d320eceffcdd931168612
-
SHA1
419857273e5bcd2129ae1e17649b9f26c7dc2c91
-
SHA256
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c
-
SHA512
b2fa020372255e0ec1f297458e58f032c9463cc4461137a682a2e112ad4bdd1864f67fe94fcb1f9c9a3a794de65009a71d3ae06a9a3364199b69b02acf34f862
-
SSDEEP
24576:q5T542JygsASjNf0LWgtU3E29Sq5CVxbAX2re6hpz+2mn6x/K:kT5TYGU3b9Sq5KxMX2rThJ+2mnk/K
Static task
static1
Behavioral task
behavioral1
Sample
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
stanmtmdlmkycozj
Targets
-
-
Target
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c
-
Size
1.5MB
-
MD5
4dd205752e9d320eceffcdd931168612
-
SHA1
419857273e5bcd2129ae1e17649b9f26c7dc2c91
-
SHA256
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c
-
SHA512
b2fa020372255e0ec1f297458e58f032c9463cc4461137a682a2e112ad4bdd1864f67fe94fcb1f9c9a3a794de65009a71d3ae06a9a3364199b69b02acf34f862
-
SSDEEP
24576:q5T542JygsASjNf0LWgtU3E29Sq5CVxbAX2re6hpz+2mn6x/K:kT5TYGU3b9Sq5KxMX2rThJ+2mnk/K
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-