General
-
Target
ba035412a2f4ce5f1496c6ed0220fa9958c070a532dd4b2541b648331a3a0454
-
Size
958KB
-
Sample
221128-mwn2sagf37
-
MD5
badb642f54c9fb88a6174f27e4231357
-
SHA1
3863d0524566f48550a17ec68a624c85efdf0371
-
SHA256
ba035412a2f4ce5f1496c6ed0220fa9958c070a532dd4b2541b648331a3a0454
-
SHA512
4c07a3af45a2101ae58b613686c43f774c24fba2068455ac7e186ed472be537858d0dc473a3429c745be6affc3b5565e465f8d500550e785c60079a15be56976
-
SSDEEP
24576:vPY8bgepVfD2/HyJji3MIMtPJZdGRUKmlSAupU0LeSVJWUK:n7bE+i3MJPJcYlSAupDzr3K
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PI.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
diamond7625w@gmail.com - Password:
pdmiawgubaleywef
Targets
-
-
Target
PI.exe
-
Size
992KB
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-