General
-
Target
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
-
Size
1007KB
-
Sample
221128-nfapwsec3y
-
MD5
5ae5b9fd23698f70e2b0bbfa91dc4bc3
-
SHA1
d59f364bf8707be6aa529d52d3e695a3be23469b
-
SHA256
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
-
SHA512
b9159b28be5c8e3a8651e2a14cba8da59a103db507b2db657a7717bede1ed96f8b72cb66df01eff4d7c2aba4bffc894af7141e81f23e28174606c4ba19bc6949
-
SSDEEP
24576:1Bd5WtFBJDsi+uNaLRILoHKdYH1CeZbi6ezAot3EF8x20C7R1dH:M3Dsi38dDt
Behavioral task
behavioral1
Sample
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1.exe
Resource
win7-20221111-en
Malware Config
Targets
-
-
Target
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
-
Size
1007KB
-
MD5
5ae5b9fd23698f70e2b0bbfa91dc4bc3
-
SHA1
d59f364bf8707be6aa529d52d3e695a3be23469b
-
SHA256
0b65cec380e24cdc60a6e034ecc0ad1d47f52048dc11f88d33f693fde52870a1
-
SHA512
b9159b28be5c8e3a8651e2a14cba8da59a103db507b2db657a7717bede1ed96f8b72cb66df01eff4d7c2aba4bffc894af7141e81f23e28174606c4ba19bc6949
-
SSDEEP
24576:1Bd5WtFBJDsi+uNaLRILoHKdYH1CeZbi6ezAot3EF8x20C7R1dH:M3Dsi38dDt
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-