General
-
Target
6289aae97ac2f026a4b6171ae2df8dcea2310a20f0626f1ed68758c7ed55fc77
-
Size
765KB
-
Sample
221126-rdvh3ahd82
-
MD5
c0d23ca1289e47fd1dc8f888412673a1
-
SHA1
b4f493f4c8871f01d6f96902907100bf4ce39180
-
SHA256
6289aae97ac2f026a4b6171ae2df8dcea2310a20f0626f1ed68758c7ed55fc77
-
SHA512
227a850d8733c4914d764fe34a6ef1471a593e043fb7a49834a9b1fb62f9fa606947b893547a9fb20d251270cc7b5f1e9a19eb22b6155cee44832fd625afc884
-
SSDEEP
12288:LNxKEs5iIlU9zfG4fpPiVVL8d5rV6nCFtYAtktkbQSYP8ZVps3CHhdgtWR76Twp:LNxbeiIq9z+4pPizL8dlV6nCzYMLCyF3
Static task
static1
Behavioral task
behavioral1
Sample
Copy_Of_Balance_Payments.exe
Resource
win7-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.acsbaroda.com - Port:
587 - Username:
[email protected] - Password:
Admin1975*
Targets
-
-
Target
Copy_Of_Balance_Payments.exe
-
Size
856KB
-
MD5
6796097989ff8aa921d83d2a3553bb21
-
SHA1
ccd7805053b00b3e14b703517662a0036f95acbb
-
SHA256
5f81c6852cc89916688dd380bf23185a1fcf2cd7fb5a93da32d22644ef0769c9
-
SHA512
12262825e17afac04f28ff4eb986aaccf0f615f010fd9e8e043f423c65be64ad8a2508b9bce1da901e20d5770a97af447a384d5c9a76d162d19ba51a288747ae
-
SSDEEP
24576:rEe1hYtljbiiIq9r+EpPinL6dTVUnCzoChg9:oeI/jvIq9v86dTVUnCzoCc
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-