General
-
Target
PO Lists --- pdf.zip
-
Size
843KB
-
Sample
230518-v4npzsca9y
-
MD5
8b3fba55f8701f15e1e7da3e70f83cf9
-
SHA1
e17b8523c1a085c6589714796bc8d4014d9614f6
-
SHA256
f61d3702b4bd8b5943bf3cda175b2ff015d15b0fea10b2842ceeed6631d6e298
-
SHA512
f72cbdf6b547fcfb2312b881d8c7181cdde66d7a9d20a6c9bc7849ff2b4b5faf3593fef30591e772bd9aca7018190c163d30b95e9f705dd92d5bed842d5acce0
-
SSDEEP
24576:XBqWWbmI76S/rPrjaeraryePyef4Zbp1A:xI2erTjHaVPyKaHA
Static task
static1
Behavioral task
behavioral1
Sample
PO Lists --- pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO Lists --- pdf.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.lucd.ru - Port:
21 - Username:
hwk@lucd.ru - Password:
obum@911
Targets
-
-
Target
PO Lists --- pdf.exe
-
Size
1.2MB
-
MD5
eea1fbd22436e2b085fa5fcc55ea052e
-
SHA1
76f7c18a39a48b86dda253eaa146fd6e1aa5df89
-
SHA256
43e66c483be9cbb9f35ce7f57bf255925abd25a8fc40b80d79bf0cd2a3f54af9
-
SHA512
3f9d3756e4e5f0bc1841a3fbfffd12fdd52708bb97db36b01dbb96b34946944e42297d9eb6e871f4ba5d653771118035eb7fc88f948e806911916409fc1bbdbe
-
SSDEEP
24576:/j0pZcKDySR/Pxt8eD8dSevyifwZpNZ0C:L0zOu/JtR8HvyuSeC
-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-