General
-
Target
6067680dc0860adc3240e978a8c75b958e3fdc279aa706e3b0fdfd86cbc3e4ed
-
Size
525KB
-
Sample
221128-l151esed45
-
MD5
5f301ededa07ad68b3393620c739f8c0
-
SHA1
c5166fe823ab114131517423c6773e347b342d21
-
SHA256
6067680dc0860adc3240e978a8c75b958e3fdc279aa706e3b0fdfd86cbc3e4ed
-
SHA512
25acad5eafaad7cb42e3b5532046a78427f95d522108572ddd5b7eee6e8cba2fcd2ac587e8ca6aa4c39e25dd9d3a3784f44b11a4abd59260b517878d1ecfb732
-
SSDEEP
12288:cOTa5gefjJ2YFYsMN40A/QSPIcFGZcWf41cFpE00oLzId:NEgajZFDPR/h7GL4SPB0
Behavioral task
behavioral1
Sample
6067680dc0860adc3240e978a8c75b958e3fdc279aa706e3b0fdfd86cbc3e4ed.exe
Resource
win7-20221111-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
deelogs@mail.ru - Password:
Nail1opr
Targets
-
-
Target
6067680dc0860adc3240e978a8c75b958e3fdc279aa706e3b0fdfd86cbc3e4ed
-
Size
525KB
-
MD5
5f301ededa07ad68b3393620c739f8c0
-
SHA1
c5166fe823ab114131517423c6773e347b342d21
-
SHA256
6067680dc0860adc3240e978a8c75b958e3fdc279aa706e3b0fdfd86cbc3e4ed
-
SHA512
25acad5eafaad7cb42e3b5532046a78427f95d522108572ddd5b7eee6e8cba2fcd2ac587e8ca6aa4c39e25dd9d3a3784f44b11a4abd59260b517878d1ecfb732
-
SSDEEP
12288:cOTa5gefjJ2YFYsMN40A/QSPIcFGZcWf41cFpE00oLzId:NEgajZFDPR/h7GL4SPB0
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-