General
-
Target
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
Size
992KB
-
Sample
221128-nfg4zaaa79
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
Behavioral task
behavioral1
Sample
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
diamond7625w@gmail.com - Password:
pdmiawgubaleywef
Targets
-
-
Target
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
Size
992KB
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-