General
-
Target
def0634b97de032fca1c34f1aecec36362c82a1fdebf652321a9a52208f3a7df
-
Size
3.0MB
-
Sample
221128-wsm5raee89
-
MD5
b84dfc03c6f610a24bf3ddf7be7f6e54
-
SHA1
311010b0638ba1d954f078f6a9b98b73386906b5
-
SHA256
def0634b97de032fca1c34f1aecec36362c82a1fdebf652321a9a52208f3a7df
-
SHA512
ce3c70d6c7ab8526334cd5ecb12282cb3382481893e39f4bb0090f1c801948a7d4a88deb87b2152766e58540d0c7f37e55c48964a13642a31c881008880342e0
-
SSDEEP
49152:A8dXQmuGBnx07pCTyT6c7FQqEfTFfsWw0PFMO6:AoXBuYxv8vyqEfFLwCFM
Static task
static1
Behavioral task
behavioral1
Sample
def0634b97de032fca1c34f1aecec36362c82a1fdebf652321a9a52208f3a7df.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
def0634b97de032fca1c34f1aecec36362c82a1fdebf652321a9a52208f3a7df.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.messagingengine.com - Port:
587 - Username:
azarbaijJ@fastmail.com - Password:
qedrks8q9hlo8up1ao7hrljvc7
Targets
-
-
Target
def0634b97de032fca1c34f1aecec36362c82a1fdebf652321a9a52208f3a7df
-
Size
3.0MB
-
MD5
b84dfc03c6f610a24bf3ddf7be7f6e54
-
SHA1
311010b0638ba1d954f078f6a9b98b73386906b5
-
SHA256
def0634b97de032fca1c34f1aecec36362c82a1fdebf652321a9a52208f3a7df
-
SHA512
ce3c70d6c7ab8526334cd5ecb12282cb3382481893e39f4bb0090f1c801948a7d4a88deb87b2152766e58540d0c7f37e55c48964a13642a31c881008880342e0
-
SSDEEP
49152:A8dXQmuGBnx07pCTyT6c7FQqEfTFfsWw0PFMO6:AoXBuYxv8vyqEfFLwCFM
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-