General
-
Target
8fd3c8d738be0a1dd47b02711087695e01a30087ff4b8d716670f5f66f858ebf
-
Size
775KB
-
Sample
221128-gnmwvsag47
-
MD5
16a897364f01645addf5042ecd8f0276
-
SHA1
7426d8e3bfc9f68fb4ca6435368d63505f9425f5
-
SHA256
8fd3c8d738be0a1dd47b02711087695e01a30087ff4b8d716670f5f66f858ebf
-
SHA512
c08cb2ecfb7001267ccd6937c9ef5f90ea65b683e2219c812e7e51c5f71d0540b66f75aab8d93c7a91f7329aae6a6b13d6ace1fb9ad6f4b2675ffd57298248d5
-
SSDEEP
12288:qVHf4cyi3hFhMawZ2lB2gIJ9Zo8MLM9ViCWNwFpWe7WsNOfqJiMSmq0jxmE4RU4C:qCSmawZ2uV9r8+XtOGiVT0mEt
Static task
static1
Behavioral task
behavioral1
Sample
8fd3c8d738be0a1dd47b02711087695e01a30087ff4b8d716670f5f66f858ebf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8fd3c8d738be0a1dd47b02711087695e01a30087ff4b8d716670f5f66f858ebf.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
runelogor@gmail.com - Password:
rune1234
Targets
-
-
Target
8fd3c8d738be0a1dd47b02711087695e01a30087ff4b8d716670f5f66f858ebf
-
Size
775KB
-
MD5
16a897364f01645addf5042ecd8f0276
-
SHA1
7426d8e3bfc9f68fb4ca6435368d63505f9425f5
-
SHA256
8fd3c8d738be0a1dd47b02711087695e01a30087ff4b8d716670f5f66f858ebf
-
SHA512
c08cb2ecfb7001267ccd6937c9ef5f90ea65b683e2219c812e7e51c5f71d0540b66f75aab8d93c7a91f7329aae6a6b13d6ace1fb9ad6f4b2675ffd57298248d5
-
SSDEEP
12288:qVHf4cyi3hFhMawZ2lB2gIJ9Zo8MLM9ViCWNwFpWe7WsNOfqJiMSmq0jxmE4RU4C:qCSmawZ2uV9r8+XtOGiVT0mEt
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-