General
-
Target
d36dd418529e8e0f22e3923056a8212579adf6df4657c9dad26b21ca9cbe3412
-
Size
820KB
-
Sample
221127-swnnxagf93
-
MD5
3199b720ea98e7c602cb1d98169afa03
-
SHA1
56d38c4c331a9d91c793b1f55ddfec241f4a55d1
-
SHA256
d36dd418529e8e0f22e3923056a8212579adf6df4657c9dad26b21ca9cbe3412
-
SHA512
f16874d6a550048cd750cc21ebeec38b408a952b0116d66c5a4e56426169f3fb4516aad84ff0ca13d7d37bf8ad6a1c6052f3fee9c4d6c9287393f169d97c1217
-
SSDEEP
24576:tKdOqixup2MsWOCCekDWLpKGsWXG+1imC+SN+:uO7xk9XOCJKWLQXfvnN+
Static task
static1
Behavioral task
behavioral1
Sample
d36dd418529e8e0f22e3923056a8212579adf6df4657c9dad26b21ca9cbe3412.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d36dd418529e8e0f22e3923056a8212579adf6df4657c9dad26b21ca9cbe3412.exe
Resource
win10v2004-20220812-en
Malware Config
Targets
-
-
Target
d36dd418529e8e0f22e3923056a8212579adf6df4657c9dad26b21ca9cbe3412
-
Size
820KB
-
MD5
3199b720ea98e7c602cb1d98169afa03
-
SHA1
56d38c4c331a9d91c793b1f55ddfec241f4a55d1
-
SHA256
d36dd418529e8e0f22e3923056a8212579adf6df4657c9dad26b21ca9cbe3412
-
SHA512
f16874d6a550048cd750cc21ebeec38b408a952b0116d66c5a4e56426169f3fb4516aad84ff0ca13d7d37bf8ad6a1c6052f3fee9c4d6c9287393f169d97c1217
-
SSDEEP
24576:tKdOqixup2MsWOCCekDWLpKGsWXG+1imC+SN+:uO7xk9XOCJKWLQXfvnN+
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-