General
-
Target
cb31481ceeb76a7ec086e763ae8c7c852db581c6370e4dbd008db619bfd26828
-
Size
958KB
-
Sample
221128-mwl77ach3v
-
MD5
24e1c4f775d8c4d88f35d6bd98604c8c
-
SHA1
d64fd9627426d05bc7b42c74e16be85449e0418d
-
SHA256
cb31481ceeb76a7ec086e763ae8c7c852db581c6370e4dbd008db619bfd26828
-
SHA512
1c01a4fd99303247b9bf7ab384eb77aa24a3ece04f43853ee6de40d7ea4c5ea54657a3ea9d779bf0aab5a25e846963e563a9fc39537fb7443a3b66c5fa71d2fb
-
SSDEEP
24576:nPY8bgepVfD2/HyJji3MIMtPJZdGRUKmlSAupU0LeSVJWUh:P7bE+i3MJPJcYlSAupDzr3h
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
diamond7625w@gmail.com - Password:
pdmiawgubaleywef
Targets
-
-
Target
PI.exe
-
Size
992KB
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-