General
-
Target
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f
-
Size
421KB
-
Sample
230609-2rnmsaed7v
-
MD5
0a2b49b01d618678868d19636000c625
-
SHA1
38d83bff735ab583975d95c462e81e33741aa0da
-
SHA256
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f
-
SHA512
2336cf5a155e0395cab155917999ff3b9b79b30c913513b528d74f56acff0473e66c6fe3e9ab9d1198835aeb4b772b82c8457d718538c6292581ec8dfaec5a0b
-
SSDEEP
6144:wZuuObR8sVImcyYJnup+8ejV0rXkSjHFBTVm0+HhGsv7EqElNldmkHOKwKyWhwHE:nV+mzLsc/TwlMsDVE9d4HjjKjN
Static task
static1
Behavioral task
behavioral1
Sample
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe
Resource
win7-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.tcci.org.sa - Port:
587 - Username:
test1@tcci.org.sa - Password:
Cream3040
Targets
-
-
Target
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f
-
Size
421KB
-
MD5
0a2b49b01d618678868d19636000c625
-
SHA1
38d83bff735ab583975d95c462e81e33741aa0da
-
SHA256
034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f
-
SHA512
2336cf5a155e0395cab155917999ff3b9b79b30c913513b528d74f56acff0473e66c6fe3e9ab9d1198835aeb4b772b82c8457d718538c6292581ec8dfaec5a0b
-
SSDEEP
6144:wZuuObR8sVImcyYJnup+8ejV0rXkSjHFBTVm0+HhGsv7EqElNldmkHOKwKyWhwHE:nV+mzLsc/TwlMsDVE9d4HjjKjN
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-