General
-
Target
da4f8f6ad61cbcd12f2cb06887c512256ea9cc1936d477bc7dc5ff6028ff53a2
-
Size
540KB
-
Sample
221128-j5rbqahb73
-
MD5
0aa93035f26b4d4292fbfc972ce86264
-
SHA1
5db8a5285b59612d2013e47b52b778342f6dfa42
-
SHA256
da4f8f6ad61cbcd12f2cb06887c512256ea9cc1936d477bc7dc5ff6028ff53a2
-
SHA512
511dd2e32572d6ab0b72e853ab61318d5ecaefd871a48df3f6e9f24b315f564c45040bee123a67538cd50589e4732989654b4a449b93fb2e03b4c6476dd7ea76
-
SSDEEP
6144:Zu2GiFbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9JIJ:jQtqB5urTIoYWBQk1E+VF9mOx9Ju
Static task
static1
Behavioral task
behavioral1
Sample
da4f8f6ad61cbcd12f2cb06887c512256ea9cc1936d477bc7dc5ff6028ff53a2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
da4f8f6ad61cbcd12f2cb06887c512256ea9cc1936d477bc7dc5ff6028ff53a2.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
da4f8f6ad61cbcd12f2cb06887c512256ea9cc1936d477bc7dc5ff6028ff53a2
-
Size
540KB
-
MD5
0aa93035f26b4d4292fbfc972ce86264
-
SHA1
5db8a5285b59612d2013e47b52b778342f6dfa42
-
SHA256
da4f8f6ad61cbcd12f2cb06887c512256ea9cc1936d477bc7dc5ff6028ff53a2
-
SHA512
511dd2e32572d6ab0b72e853ab61318d5ecaefd871a48df3f6e9f24b315f564c45040bee123a67538cd50589e4732989654b4a449b93fb2e03b4c6476dd7ea76
-
SSDEEP
6144:Zu2GiFbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9JIJ:jQtqB5urTIoYWBQk1E+VF9mOx9Ju
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-