General
-
Target
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
-
Size
851KB
-
Sample
221127-znzvjagg82
-
MD5
a325f236a67ad2b6358456ab41e1579c
-
SHA1
f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
-
SHA256
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
-
SHA512
e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
-
SSDEEP
12288:Edzgfn7tc9g5pdpfeAvdbzseZtzsUrm4GWbhuAmjKwtC2ccq6/C:EdzM7X5RPNTlrm4GWbh0jKuCa/
Static task
static1
Behavioral task
behavioral1
Sample
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.krippspharmacy.com - Port:
587 - Username:
mail@krippspharmacy.com - Password:
12Durex@
Targets
-
-
Target
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
-
Size
851KB
-
MD5
a325f236a67ad2b6358456ab41e1579c
-
SHA1
f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
-
SHA256
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
-
SHA512
e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
-
SSDEEP
12288:Edzgfn7tc9g5pdpfeAvdbzseZtzsUrm4GWbhuAmjKwtC2ccq6/C:EdzM7X5RPNTlrm4GWbh0jKuCa/
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-