General
-
Target
e4ebab2236fe8ee61d700af17698b9b78a7b4a017fbbcc1c348ca5c43846ed00
-
Size
553KB
-
Sample
230129-r7gjasch7z
-
MD5
7377245e4800bddf4a04988972a7d0b4
-
SHA1
aff20a83a8638f57774c7035b01f16198e06e2fa
-
SHA256
e4ebab2236fe8ee61d700af17698b9b78a7b4a017fbbcc1c348ca5c43846ed00
-
SHA512
74eeb62a8b90d030125252312f52dd7f554f0c45d20191fbedb55e78a74149e4e2908aba72a4d41be7c85c3f9dffd924acdae9ceffa6f02055dcc8ae07a55408
-
SSDEEP
6144:ULuBqxStDbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxb:1tDQtqB5urTIoYWBQk1E+VF9mOx9Uit
Static task
static1
Behavioral task
behavioral1
Sample
e4ebab2236fe8ee61d700af17698b9b78a7b4a017fbbcc1c348ca5c43846ed00.exe
Resource
win7-20221111-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
awdawfav@mail.ru - Password:
Bopone4489
Targets
-
-
Target
e4ebab2236fe8ee61d700af17698b9b78a7b4a017fbbcc1c348ca5c43846ed00
-
Size
553KB
-
MD5
7377245e4800bddf4a04988972a7d0b4
-
SHA1
aff20a83a8638f57774c7035b01f16198e06e2fa
-
SHA256
e4ebab2236fe8ee61d700af17698b9b78a7b4a017fbbcc1c348ca5c43846ed00
-
SHA512
74eeb62a8b90d030125252312f52dd7f554f0c45d20191fbedb55e78a74149e4e2908aba72a4d41be7c85c3f9dffd924acdae9ceffa6f02055dcc8ae07a55408
-
SSDEEP
6144:ULuBqxStDbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxb:1tDQtqB5urTIoYWBQk1E+VF9mOx9Uit
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-