General
-
Target
d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7
-
Size
656KB
-
Sample
221127-w8gb5sdf5v
-
MD5
14a74e856b761cbb0b29bb7c0e90a45e
-
SHA1
079db3f5493db058dc365f4c5075294be5692608
-
SHA256
d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7
-
SHA512
7b7dfdb16f81bf760dd8bd54485ab9e02be178bf7524447eab1e61aa94dae9ac9e92600564bd314a9fbe0a00e219514a8d0b1a85438f978c1bdcd8d58a31f1bb
-
SSDEEP
12288:fcsTIhZ06iruzv4lHTOUq7KsIMh05hoE/Syjz4zFjqr9w:fz806W9t/MvEKt
Static task
static1
Behavioral task
behavioral1
Sample
d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
mymagicbox202@gmail.com - Password:
alabama111
Targets
-
-
Target
d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7
-
Size
656KB
-
MD5
14a74e856b761cbb0b29bb7c0e90a45e
-
SHA1
079db3f5493db058dc365f4c5075294be5692608
-
SHA256
d723f44d1d2943966f9ad4e5529af1816bfb51f261e68304241255a68f8c15d7
-
SHA512
7b7dfdb16f81bf760dd8bd54485ab9e02be178bf7524447eab1e61aa94dae9ac9e92600564bd314a9fbe0a00e219514a8d0b1a85438f978c1bdcd8d58a31f1bb
-
SSDEEP
12288:fcsTIhZ06iruzv4lHTOUq7KsIMh05hoE/Syjz4zFjqr9w:fz806W9t/MvEKt
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-