General
-
Target
f0bd1ad3a00ae5127776aa304e1d98ba394668cc7e3b423a6f2e5d6fa21f8f08
-
Size
389KB
-
Sample
221126-z6jw2aef82
-
MD5
69455394a39735df82004fab791193ac
-
SHA1
7954b8bdda866941730360771d6db39f815599ec
-
SHA256
f0bd1ad3a00ae5127776aa304e1d98ba394668cc7e3b423a6f2e5d6fa21f8f08
-
SHA512
6e920732bd5977b3721acac78e4f9e4469934cfbe146c7cfe89788291c2f6f90f901394b011a5cc639f721260e5f924e19c69dbf2320d501ac45aedd3cb3d28b
-
SSDEEP
12288:qHe3SbbK8R9aa5lVNVg7GvU/v2kVDpESUoF:qHrR8aBcGMNV6UF
Static task
static1
Behavioral task
behavioral1
Sample
Product Order.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Product Order.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
hruabfostiabgdjq
Targets
-
-
Target
Product Order.exe
-
Size
674KB
-
MD5
29d58784e13a6890da37f86ed7f5260f
-
SHA1
ccc138855a028b1436c115eabc41d9fc5eda3f8e
-
SHA256
56df55f38d497f8d1f7c8bae16f2f6a391d4d38f89f45b24f9d03985b5c7e9a9
-
SHA512
a0a58cb7e01f6c3adcb0de637c5ef43f47a1a2acfb95e31813581f22a699765a769a25d87615a8e02e45a7b7c5b39939ab39b69cdbe8017acd605ca5a395a771
-
SSDEEP
12288:ttZpGIQJqrk+V0RY8QvlxMnFN/+tFOD4:tjpGPJBEiY58nq/G
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-