General
-
Target
2895b0d03298b506b817be1f5c5ea958ce24e80bd8bdda2bd9c1fe1c206d5dc7
-
Size
567KB
-
Sample
221126-tn6p7afg32
-
MD5
cca0703e3c4a7a8bf7cff4777abb8303
-
SHA1
acc1139a7fd4c8dc984d6b26476b16eb9efc0142
-
SHA256
2895b0d03298b506b817be1f5c5ea958ce24e80bd8bdda2bd9c1fe1c206d5dc7
-
SHA512
0ef9d19d697d1f9bc2cdc16aba6677d67b22e0f74baa32dd5e5426e6dc33860e4a00c5546e92f80b8754f989675c7fce94382575b156a2ae7ff26e5890b74c22
-
SSDEEP
12288:LcRzWTuJzK2BRHCOu1/nASZNiTFsW0TbzLTy0XbTIEIsPBs:IRz3KqRHCOu5nvcTCW0TbTLrXP
Static task
static1
Behavioral task
behavioral1
Sample
2895b0d03298b506b817be1f5c5ea958ce24e80bd8bdda2bd9c1fe1c206d5dc7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2895b0d03298b506b817be1f5c5ea958ce24e80bd8bdda2bd9c1fe1c206d5dc7.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vinny2009
Targets
-
-
Target
2895b0d03298b506b817be1f5c5ea958ce24e80bd8bdda2bd9c1fe1c206d5dc7
-
Size
567KB
-
MD5
cca0703e3c4a7a8bf7cff4777abb8303
-
SHA1
acc1139a7fd4c8dc984d6b26476b16eb9efc0142
-
SHA256
2895b0d03298b506b817be1f5c5ea958ce24e80bd8bdda2bd9c1fe1c206d5dc7
-
SHA512
0ef9d19d697d1f9bc2cdc16aba6677d67b22e0f74baa32dd5e5426e6dc33860e4a00c5546e92f80b8754f989675c7fce94382575b156a2ae7ff26e5890b74c22
-
SSDEEP
12288:LcRzWTuJzK2BRHCOu1/nASZNiTFsW0TbzLTy0XbTIEIsPBs:IRz3KqRHCOu5nvcTCW0TbTLrXP
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-