General
-
Target
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df
-
Size
1.0MB
-
Sample
221128-wlvk9aaa9s
-
MD5
ba94b8d9b8240b4958e493f20dcd1661
-
SHA1
e188dea55d097009b49a6e809c288aa700fd2119
-
SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df
-
SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298
-
SSDEEP
24576:P+nIKZfldGM5sEvSI+k4rRrDW1c9wBmTGNN5:PaIUldGraSI+jlrS1c9wz5
Behavioral task
behavioral1
Sample
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
goldmalaysia@mail.com - Password:
collins123
Targets
-
-
Target
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df
-
Size
1.0MB
-
MD5
ba94b8d9b8240b4958e493f20dcd1661
-
SHA1
e188dea55d097009b49a6e809c288aa700fd2119
-
SHA256
252dbf19133d7c806d2d735d45a4b541beb0e823e390716ec669a753119323df
-
SHA512
666e64995c70cc08d5cee97aeda9d8ebeba5d2f04974eb25104d1683c01fde8af11aab1e8a0dd600d5ace5d70c46b97b54ee9db5f4cd65675f8808d2061b5298
-
SSDEEP
24576:P+nIKZfldGM5sEvSI+k4rRrDW1c9wBmTGNN5:PaIUldGraSI+jlrS1c9wz5
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-