General
-
Target
5a81bfc77d9724703ba17bfbb543b8d0e05ee11b1f8a0159dc1bfe6b55278cd7
-
Size
1.7MB
-
Sample
221128-ws75xsef45
-
MD5
052a940aae3e54fc50f6a407e68f6e29
-
SHA1
a6be32c5d51476cc4d81d91959572c442209164a
-
SHA256
5a81bfc77d9724703ba17bfbb543b8d0e05ee11b1f8a0159dc1bfe6b55278cd7
-
SHA512
a5ad7a0336f2285018f844e4c5df30e9b19f2d7f7ff814a3ff1f69903c271fab60a3044efff5226265bd620491ba8abf7198a7c81019412bcc95cb4b027cbe63
-
SSDEEP
24576:nWo63tNOdcwUAJONc30Zf/jSJGtvb6YtT7CU30wfTLlS4P1THSRzXJYHf7XBe7aE:3cWb3fAb6aT73jbuJY/7XdSR
Static task
static1
Behavioral task
behavioral1
Sample
5a81bfc77d9724703ba17bfbb543b8d0e05ee11b1f8a0159dc1bfe6b55278cd7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5a81bfc77d9724703ba17bfbb543b8d0e05ee11b1f8a0159dc1bfe6b55278cd7.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.messagingengine.com - Port:
587 - Username:
azarbaijJ@fastmail.com - Password:
qedrks8q9hlo8up1ao7hrljvc7
Targets
-
-
Target
5a81bfc77d9724703ba17bfbb543b8d0e05ee11b1f8a0159dc1bfe6b55278cd7
-
Size
1.7MB
-
MD5
052a940aae3e54fc50f6a407e68f6e29
-
SHA1
a6be32c5d51476cc4d81d91959572c442209164a
-
SHA256
5a81bfc77d9724703ba17bfbb543b8d0e05ee11b1f8a0159dc1bfe6b55278cd7
-
SHA512
a5ad7a0336f2285018f844e4c5df30e9b19f2d7f7ff814a3ff1f69903c271fab60a3044efff5226265bd620491ba8abf7198a7c81019412bcc95cb4b027cbe63
-
SSDEEP
24576:nWo63tNOdcwUAJONc30Zf/jSJGtvb6YtT7CU30wfTLlS4P1THSRzXJYHf7XBe7aE:3cWb3fAb6aT73jbuJY/7XdSR
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-