c2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17

General

Target

3817bad277aa50016e08eed35e92d4a3b5247633.exe
Size

876KB
MD5

6b1f65c5297138a312c83c277c258bcb
SHA1

3817bad277aa50016e08eed35e92d4a3b5247633
SHA256

c2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17
SHA512

213008ba436056bbeac9434f72d318c0af1a4fd4f7c082da3c32b0c1d801f3ae31208be3b2cd6e6cdaefa7728575757e7987230fb1d79895f214d4fa7b491bb1
SSDEEP

24576:GKm0WEPfv82Kww5Y3awdtWs8RPrK7LBmH0I:hmtUv4bY3hh8lrB

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2620-143-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/2620-145-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/2620-146-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3780-136-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3780-138-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3780-139-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3780-140-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3780-136-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3780-138-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3780-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3780-140-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2620-143-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/2620-145-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/2620-146-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

3817bad277aa50016e08eed35e92d4a3b5247633.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\foqrezgerdykkqw.eu.url	3817bad277aa50016e08eed35e92d4a3b5247633.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

94 bot.whatismyipaddress.com

flow	ioc
94	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

3817bad277aa50016e08eed35e92d4a3b5247633.exeRegAsm.exe

description	pid	process	target process
PID 2276 set thread context of 2308	2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe	RegAsm.exe
PID 2308 set thread context of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 set thread context of 2620	2308	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

3817bad277aa50016e08eed35e92d4a3b5247633.exevbc.exeRegAsm.exe

pid	process
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
2308	RegAsm.exe
2308	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3817bad277aa50016e08eed35e92d4a3b5247633.exe

pid process

2276 3817bad277aa50016e08eed35e92d4a3b5247633.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2308 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2308 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2308	RegAsm.exe

pid	process
2308	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

3817bad277aa50016e08eed35e92d4a3b5247633.exeRegAsm.exe

description	pid	process	target process
PID 2276 wrote to memory of 2308	2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe	RegAsm.exe
PID 2276 wrote to memory of 2308	2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe	RegAsm.exe
PID 2276 wrote to memory of 2308	2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe	RegAsm.exe
PID 2276 wrote to memory of 2308	2276	3817bad277aa50016e08eed35e92d4a3b5247633.exe	RegAsm.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 3780	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe
PID 2308 wrote to memory of 2620	2308	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3817bad277aa50016e08eed35e92d4a3b5247633.exe
"C:\Users\Admin\AppData\Local\Temp\3817bad277aa50016e08eed35e92d4a3b5247633.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\3817bad277aa50016e08eed35e92d4a3b5247633.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp545B.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
Filesize
4KB

MD5
52211867093eff778e3dc3df6d9c4134

SHA1
28a3a9f8b1120ebb1a0f9bd1dd50325260376c61

SHA256
4a636cc2c0d4458af6252981600557e0cd4cd52f55bae619532d4b3410457d8c

SHA512
b940818d2a90226f7b46f269f1d9828a9c7a0c543ae68f5dca18f8d2f1d1a7ea3808a573970c9bf3348a9215a81f5b889f3af0823b65e82ef345a9eefdde924a

Download Submit
memory/2308-133-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2308-134-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2308-132-0x0000000000000000-mapping.dmp

Download
memory/2620-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2620-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2620-142-0x0000000000000000-mapping.dmp

Download
memory/2620-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3780-135-0x0000000000000000-mapping.dmp

Download
memory/3780-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3780-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3780-138-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3780-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads