General
-
Target
0f721605673746ce2baca55587e11291c613c11e9c6eb302888c5949d9990444
-
Size
1002KB
-
Sample
221128-ncwsyshh26
-
MD5
7f8eb7c2a8b0ba16abfc3cdf03402b3f
-
SHA1
1a13c342502d1f7acda4e3dae0a3c2fbc1ca8cab
-
SHA256
0f721605673746ce2baca55587e11291c613c11e9c6eb302888c5949d9990444
-
SHA512
e6c7362e8058c994ef1cc8abbb0afdff96d05eec14884fa97fc2e8b558f24f040a40646743dfe8e05b126c34179415c329a71bb91fe54fd2b4b4d7d0f36d3c12
-
SSDEEP
24576:+pGSfvwO6LUFv4v+TLJbB4z6LJ5NOqgVUvdH:qGSfdWvILJbBiiEqgVGt
Behavioral task
behavioral1
Sample
0f721605673746ce2baca55587e11291c613c11e9c6eb302888c5949d9990444.exe
Resource
win7-20221111-en
Malware Config
Targets
-
-
Target
0f721605673746ce2baca55587e11291c613c11e9c6eb302888c5949d9990444
-
Size
1002KB
-
MD5
7f8eb7c2a8b0ba16abfc3cdf03402b3f
-
SHA1
1a13c342502d1f7acda4e3dae0a3c2fbc1ca8cab
-
SHA256
0f721605673746ce2baca55587e11291c613c11e9c6eb302888c5949d9990444
-
SHA512
e6c7362e8058c994ef1cc8abbb0afdff96d05eec14884fa97fc2e8b558f24f040a40646743dfe8e05b126c34179415c329a71bb91fe54fd2b4b4d7d0f36d3c12
-
SSDEEP
24576:+pGSfvwO6LUFv4v+TLJbB4z6LJ5NOqgVUvdH:qGSfdWvILJbBiiEqgVGt
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-