General
-
Target
10397957094.zip
-
Size
1.2MB
-
Sample
230510-wsehlsbd4v
-
MD5
292c310e47a8f69c242e8e19700dbd79
-
SHA1
7e50d6488dad5e8ecd3949c85c1089afe3e7b303
-
SHA256
1e7abeab7b40ca56a3f6a8d49cfd86b567bce43b790e01a9d7688789944373fb
-
SHA512
b6e0da385fd6884275912283bb23974bfe48c928200efeec60680de2ecf5bbec1a6c9ec938e59c5e41412763ff7a95dfc7054e41f6d34df4e0da3ce49edd380c
-
SSDEEP
24576:hHfNdnqm1Q4u4GNh8da1nbiXcgdSlTlp3Wg/1+0LXFtt+6MPtehdB4:hHf+m1jTGIdOnbKcgdS1lpPt+6Vttvx4
Static task
static1
Behavioral task
behavioral1
Sample
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.tcci.org.sa - Port:
587 - Username:
khedre@tcci.org.sa - Password:
Brown3044
Targets
-
-
Target
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
-
Size
1.1MB
-
MD5
0ede5189d2124e2de33daca7dfacecd8
-
SHA1
b5b62e468bbc494bf039a2b84748a1c54ddf21cb
-
SHA256
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
-
SHA512
dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
-
SSDEEP
12288:jy0Vd6+UYMUiv4MBBlLakiL5R6ftjGFwWod5wgEBit9QVXdNo:j9ygM3lLalRajGeWmwgEBisVt6
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98
-
Size
661KB
-
MD5
d793dff0e3e0046d9f13c9b75d4d67a1
-
SHA1
2357b41b9a5d5d4880cdfc76724bc96931e9e643
-
SHA256
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98
-
SHA512
2bcde02d15c5497ab0a17d445abc9a7b4bccd50732ace2b2d99e6820d420a16b76262a5ff6472389733e1f71e33de7ff9fcecfdc99c5630a0666bc8539f602e3
-
SSDEEP
12288:AMx+hr1rttGnqqzhY/RG5/weutM7eiWZ0rgkHgqmCSni7KtaNy3P4Z95lW0pDl:pkrPGn3aImeutR0ZHgd67KtaNGAZ9GI
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-