Extracted

• • Target

    aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097

  • Size

    4.2MB

  • MD5

    0fceb8d2c081bbc44857aa5691040515

  • SHA1

    23fd85edd4bcb9b9e6ddb14dc8e2965380aa5783

  • SHA256

    aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097

  • SHA512

    3348bdfd23a695a4ffa65ba8cfd09ff4d85922236521eddc846bfcf33041db78056e35c43aa83ea799120a7fa60c203320b6b93354e723bb6f58b903f1854b3f

  • SSDEEP

    49152:OK35iAwrepqkeke4UdDF2EwuYn8yaIb5aVieEjhK5D6bIi84yxba82qwX2Di9xoy:OK3QAwU7e4ElQJZ+9hIyjwGu9OBqTfiC

  Score

  10^/10

  collectionevasionpersistencespywarestealer

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • Nirsoft

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence
  behavioral1behavioral2