c2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17

General

Target

6b1f65c5297138a312c83c277c258bcb.exe
Size

876KB
MD5

6b1f65c5297138a312c83c277c258bcb
SHA1

3817bad277aa50016e08eed35e92d4a3b5247633
SHA256

c2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17
SHA512

213008ba436056bbeac9434f72d318c0af1a4fd4f7c082da3c32b0c1d801f3ae31208be3b2cd6e6cdaefa7728575757e7987230fb1d79895f214d4fa7b491bb1
SSDEEP

24576:GKm0WEPfv82Kww5Y3awdtWs8RPrK7LBmH0I:hmtUv4bY3hh8lrB

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3352-143-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3352-145-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3352-146-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2076-136-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2076-138-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2076-139-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2076-140-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2076-136-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2076-138-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2076-139-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2076-140-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3352-143-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3352-145-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3352-146-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

6b1f65c5297138a312c83c277c258bcb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\foqrezgerdykkqw.eu.url	6b1f65c5297138a312c83c277c258bcb.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 bot.whatismyipaddress.com

flow	ioc
39	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

6b1f65c5297138a312c83c277c258bcb.exeRegAsm.exe

description	pid	process	target process
PID 5088 set thread context of 3696	5088	6b1f65c5297138a312c83c277c258bcb.exe	RegAsm.exe
PID 3696 set thread context of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 set thread context of 3352	3696	RegAsm.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

6b1f65c5297138a312c83c277c258bcb.exevbc.exeRegAsm.exe

pid	process
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
5088	6b1f65c5297138a312c83c277c258bcb.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
2076	vbc.exe
3696	RegAsm.exe
3696	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6b1f65c5297138a312c83c277c258bcb.exe

pid process

5088 6b1f65c5297138a312c83c277c258bcb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3696 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3696 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3696	RegAsm.exe

pid	process
3696	RegAsm.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

6b1f65c5297138a312c83c277c258bcb.exeRegAsm.exe

description	pid	process	target process
PID 5088 wrote to memory of 3696	5088	6b1f65c5297138a312c83c277c258bcb.exe	RegAsm.exe
PID 5088 wrote to memory of 3696	5088	6b1f65c5297138a312c83c277c258bcb.exe	RegAsm.exe
PID 5088 wrote to memory of 3696	5088	6b1f65c5297138a312c83c277c258bcb.exe	RegAsm.exe
PID 5088 wrote to memory of 3696	5088	6b1f65c5297138a312c83c277c258bcb.exe	RegAsm.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 2076	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe
PID 3696 wrote to memory of 3352	3696	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6b1f65c5297138a312c83c277c258bcb.exe
"C:\Users\Admin\AppData\Local\Temp\6b1f65c5297138a312c83c277c258bcb.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\6b1f65c5297138a312c83c277c258bcb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp346F.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp
Filesize
4KB

MD5
9945b47a62f116c5707cfe39eba4e3a3

SHA1
3a891690b33791216df5ca70ff15c288b8ec3223

SHA256
bec9bca76621ea0f0db461945ca513d00aba466d4cf882a437a8de82075784f1

SHA512
7c0ba560d4332ca00c6b2e3e938c50e7006b0775ba2eec3ff287adf656de508795be097a6a12d9f3cb9a43ac63c0f52f2574ad1cdebe868fd4ac02e683687e48

Download Submit
memory/2076-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2076-135-0x0000000000000000-mapping.dmp

Download
memory/2076-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2076-138-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2076-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3352-142-0x0000000000000000-mapping.dmp

Download
memory/3352-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3352-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3352-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3696-134-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/3696-132-0x0000000000000000-mapping.dmp

Download
memory/3696-133-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads