General
-
Target
a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e
-
Size
692KB
-
Sample
230507-f8wttsed5z
-
MD5
21a98f442dc499874eee65be09e23256
-
SHA1
b220652614f3f561aa690ef5009c655bb31956d1
-
SHA256
a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e
-
SHA512
6dbd625a43d2da5bb9743a01e748c71c0654f9c71229ab1b5e4973a9b12f657f4d301f6a8cada418bad21009f0596b78cda4745fc896fd3bac02974c800401f0
-
SSDEEP
12288:ZzgmdXs3Q7Rxyb+xM3A4qte6gvV696oYd+eufXpaIJYHjDDU:5gksGcC2TxN69HY+fp/S7U
Static task
static1
Behavioral task
behavioral1
Sample
a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.tcci.org.sa - Port:
587 - Username:
[email protected] - Password:
Brown3044
Targets
-
-
Target
a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e
-
Size
692KB
-
MD5
21a98f442dc499874eee65be09e23256
-
SHA1
b220652614f3f561aa690ef5009c655bb31956d1
-
SHA256
a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e
-
SHA512
6dbd625a43d2da5bb9743a01e748c71c0654f9c71229ab1b5e4973a9b12f657f4d301f6a8cada418bad21009f0596b78cda4745fc896fd3bac02974c800401f0
-
SSDEEP
12288:ZzgmdXs3Q7Rxyb+xM3A4qte6gvV696oYd+eufXpaIJYHjDDU:5gksGcC2TxN69HY+fp/S7U
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-