General
-
Target
50afc94cc419ab9bee9e9afc05c877e0c9fb30d9d5d7e14d7fb3a30e74b87efc
-
Size
507KB
-
Sample
221128-l96y3sfa36
-
MD5
9ddce89c0c55c1c2b9a381fffed32575
-
SHA1
508ae09e9fb2b738cb4347a3cefef7c64bfa84d2
-
SHA256
50afc94cc419ab9bee9e9afc05c877e0c9fb30d9d5d7e14d7fb3a30e74b87efc
-
SHA512
019a5dbc6e30fd39e30c2a2164e6d2bfdc1fafb61e6102a7ce37e486dc83f4b33d1982cf5175a6e7c49353a3cd91289dead9b9748472a9c15c468b14c5a5fc2b
-
SSDEEP
12288:QLCPR8IuywPYZqV64CDFGHPfAc/bZ4OqsCeZc:QLCIyXZjCJt4e
Static task
static1
Behavioral task
behavioral1
Sample
50afc94cc419ab9bee9e9afc05c877e0c9fb30d9d5d7e14d7fb3a30e74b87efc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
50afc94cc419ab9bee9e9afc05c877e0c9fb30d9d5d7e14d7fb3a30e74b87efc.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
hollisgoran@gmail.com - Password:
qwerty@321
Targets
-
-
Target
50afc94cc419ab9bee9e9afc05c877e0c9fb30d9d5d7e14d7fb3a30e74b87efc
-
Size
507KB
-
MD5
9ddce89c0c55c1c2b9a381fffed32575
-
SHA1
508ae09e9fb2b738cb4347a3cefef7c64bfa84d2
-
SHA256
50afc94cc419ab9bee9e9afc05c877e0c9fb30d9d5d7e14d7fb3a30e74b87efc
-
SHA512
019a5dbc6e30fd39e30c2a2164e6d2bfdc1fafb61e6102a7ce37e486dc83f4b33d1982cf5175a6e7c49353a3cd91289dead9b9748472a9c15c468b14c5a5fc2b
-
SSDEEP
12288:QLCPR8IuywPYZqV64CDFGHPfAc/bZ4OqsCeZc:QLCIyXZjCJt4e
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-