General
-
Target
Attached Invoice_1.rar
-
Size
3.4MB
-
Sample
230601-sjfsjafc5w
-
MD5
4a59b494adc3dbd4f1a9af947ad43673
-
SHA1
0cd099c5c2a0195b466cbefd7a4ede0e0762aa14
-
SHA256
a2cc926b7b025641b2d587ce686c510f914738dd8074afa406546fcc948854b7
-
SHA512
7803935476385fb579e7d9d07b27fda64f9bdead20617dc75b37dfe318425b33487d9bd94ea62236a943f0d92157424878a26bd74e992a07f746de95a5f34e47
-
SSDEEP
49152:DFcsA8TG92vQWje/mmC5+5huiFOMWGh2EbjC1h6K1veKsCeezFc3w4Gq4NW8c7Ad:ZPpjuKQhDZJ2Evo1GKsZeGA4z58f2XU
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20230220-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
[email protected] - Password:
H?G7iEWK_W0R##
Targets
-
-
Target
Invoice.exe
-
Size
5.8MB
-
MD5
e0ad1b070ad9c0430f491d07c2708484
-
SHA1
f36de48706a23f38d7b3fa070d8948dbc9ac3491
-
SHA256
647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
-
SHA512
d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
SSDEEP
98304:AuBV+GvjiaLzY5lk+Ar+fbleEfho0b6s0LSvIragO0fMvU/5Lf62LDY:AbGvPE5Ca183
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-