General
-
Target
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
Size
1008KB
-
Sample
221128-mb7cmafb37
-
MD5
3a4ab7084fe967a029f3c54ab7f9cf52
-
SHA1
648827cb4d63421ff5fbc6dd04282dc11ca6ca99
-
SHA256
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
SHA512
12f6a31615919c0fc4b949f529114c65fe8d7e6c14a3ede82e9e4e8b5fa5ac40808fd863e249caa580210d657396f5e13f1bac44c8c30b3cef4c81b57e7c6ff1
-
SSDEEP
12288:yfX3sAdDa1oLJNoKwQS9/Vh1IJcXWyPiKFdZJP3t+vlYvhDPlIrvtgpxVcvuS94U:gyo1N6VkJhyPDl3zPlIvnvuxHHGdH
Behavioral task
behavioral1
Sample
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e.exe
Resource
win7-20220812-en
Malware Config
Targets
-
-
Target
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
Size
1008KB
-
MD5
3a4ab7084fe967a029f3c54ab7f9cf52
-
SHA1
648827cb4d63421ff5fbc6dd04282dc11ca6ca99
-
SHA256
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
SHA512
12f6a31615919c0fc4b949f529114c65fe8d7e6c14a3ede82e9e4e8b5fa5ac40808fd863e249caa580210d657396f5e13f1bac44c8c30b3cef4c81b57e7c6ff1
-
SSDEEP
12288:yfX3sAdDa1oLJNoKwQS9/Vh1IJcXWyPiKFdZJP3t+vlYvhDPlIrvtgpxVcvuS94U:gyo1N6VkJhyPDl3zPlIvnvuxHHGdH
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-