General
-
Target
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
-
Size
723KB
-
Sample
221126-s8hcnahg3y
-
MD5
697032b609cad099ec3b347bd0f34cb3
-
SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
-
SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
-
SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
SSDEEP
12288:4vsfrEOhNBJksGrtIgmu6H5F/XunkwDxnYKCw9vweJ2F/MVXxSlM:5EOjBJfG2gm/unkwRYa9v3cFw
Static task
static1
Behavioral task
behavioral1
Sample
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
general123
Targets
-
-
Target
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
-
Size
723KB
-
MD5
697032b609cad099ec3b347bd0f34cb3
-
SHA1
fc98b5aa7ca186ae9e0dea133438c5e15f3fd077
-
SHA256
c52584768ed435aaccb233ecde281ad8d39d926e8aeb80a5917013dee7de0fb1
-
SHA512
700585da6b279d3074f427ee0fc9c865080c38a07d0f781b77356daae1d5ad8517b5d2cb2318024f31c161c91aba2074de14b284f155508a11cc059b05c75ca0
-
SSDEEP
12288:4vsfrEOhNBJksGrtIgmu6H5F/XunkwDxnYKCw9vweJ2F/MVXxSlM:5EOjBJfG2gm/unkwRYa9v3cFw
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-