General
-
Target
10752297395.zip
-
Size
300KB
-
Sample
230612-y5s8msdf86
-
MD5
cc8ae23ec9c4ef24b93c644ab0d5d85e
-
SHA1
5a0346d9e3bfbec9625afcabfdec893516fb8f1d
-
SHA256
772930c5c47fe742b60b441f8150edaa558ba9bbf13fb0f751b7d9dbdd828f21
-
SHA512
bce7d180a6896888c0e4391a12a8743f8253a5f1d6917deaee90c39eaa1f1abc57fa81bda31c7353b352e3c3468a2763ff39780ee59a1d0562da630ce8ac0956
-
SSDEEP
6144:waJzmulUNpdMjFrk+iGAmc0xHknHqVSpHfz8IqtDvVg:fJHlUNp6lk+6qFknKUp/z8IqtS
Static task
static1
Behavioral task
behavioral1
Sample
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
painnerlogger092@gmail.com - Password:
pxfvdhixclsqroly
Targets
-
-
Target
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
-
Size
505KB
-
MD5
31fdba408133d245e8761d8960b8e568
-
SHA1
cd2cef468d33024c2dea149f50e0faf7b907130d
-
SHA256
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
-
SHA512
4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
-
SSDEEP
6144:sNxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9F7I:CxQtqB5urTIoYWBQk1E+VF9mOx9q
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-