General
-
Target
3e15d3f1dc5e6440d455a6417fe5bf0d2860b573e6da026059f958e4c07f5b64
-
Size
776KB
-
Sample
221127-tqslcaee8w
-
MD5
f6669c4e5245e525a0a1428001c5e590
-
SHA1
f437c521654e51b7fa2ca4498651e5fe8d1568a0
-
SHA256
3e15d3f1dc5e6440d455a6417fe5bf0d2860b573e6da026059f958e4c07f5b64
-
SHA512
e1c62d067b943dd0236cf40b3952920501ab370ef9339ff51d018597a467c71ab48c7b696e724be82a1790830ea8c77a9560a29419a5ff224072e89ab4904da9
-
SSDEEP
12288:Lqu1rgUUoiTuqw7jYpTMyJuy7HMIO85LJi1Pg2ddP/59r3DzKjGuME+ctfDgKirn:L91rg8LqCjcS0S1dP/59rzaV/irGw/v
Static task
static1
Behavioral task
behavioral1
Sample
3e15d3f1dc5e6440d455a6417fe5bf0d2860b573e6da026059f958e4c07f5b64.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3e15d3f1dc5e6440d455a6417fe5bf0d2860b573e6da026059f958e4c07f5b64.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
3e15d3f1dc5e6440d455a6417fe5bf0d2860b573e6da026059f958e4c07f5b64
-
Size
776KB
-
MD5
f6669c4e5245e525a0a1428001c5e590
-
SHA1
f437c521654e51b7fa2ca4498651e5fe8d1568a0
-
SHA256
3e15d3f1dc5e6440d455a6417fe5bf0d2860b573e6da026059f958e4c07f5b64
-
SHA512
e1c62d067b943dd0236cf40b3952920501ab370ef9339ff51d018597a467c71ab48c7b696e724be82a1790830ea8c77a9560a29419a5ff224072e89ab4904da9
-
SSDEEP
12288:Lqu1rgUUoiTuqw7jYpTMyJuy7HMIO85LJi1Pg2ddP/59r3DzKjGuME+ctfDgKirn:L91rg8LqCjcS0S1dP/59rzaV/irGw/v
Score9/10-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-