General
-
Target
565aae79d2270fde1477ea6dfd9edb777d99982ba9dc0eab6156831e10cbc540
-
Size
462KB
-
Sample
221127-ws75xsgf78
-
MD5
e9b21303bc4b24cd7a9eed72e1f31cd2
-
SHA1
d18baa627c66bc5b87171ed3933604507a6983a4
-
SHA256
565aae79d2270fde1477ea6dfd9edb777d99982ba9dc0eab6156831e10cbc540
-
SHA512
ad6589226b8526297701598b20c30b7a450d5df0a9f3fb2d35edfa76fd02e5572e684422dfb404853eeed637649363dde78ee1c4ec501aefa0f4015785caee56
-
SSDEEP
12288:otdLCh1vv4k18p8bZhkFJMjiE6YqVAT4fVm:oHLIvB8p8be4AYrT4fA
Static task
static1
Behavioral task
behavioral1
Sample
565aae79d2270fde1477ea6dfd9edb777d99982ba9dc0eab6156831e10cbc540.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
565aae79d2270fde1477ea6dfd9edb777d99982ba9dc0eab6156831e10cbc540.exe
Resource
win10v2004-20220812-en
Malware Config
Targets
-
-
Target
565aae79d2270fde1477ea6dfd9edb777d99982ba9dc0eab6156831e10cbc540
-
Size
462KB
-
MD5
e9b21303bc4b24cd7a9eed72e1f31cd2
-
SHA1
d18baa627c66bc5b87171ed3933604507a6983a4
-
SHA256
565aae79d2270fde1477ea6dfd9edb777d99982ba9dc0eab6156831e10cbc540
-
SHA512
ad6589226b8526297701598b20c30b7a450d5df0a9f3fb2d35edfa76fd02e5572e684422dfb404853eeed637649363dde78ee1c4ec501aefa0f4015785caee56
-
SSDEEP
12288:otdLCh1vv4k18p8bZhkFJMjiE6YqVAT4fVm:oHLIvB8p8be4AYrT4fA
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-