General
-
Target
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs
-
Size
13KB
-
Sample
240523-bxjynsgh62
-
MD5
12e0264eaf14daca0cd45da32ea68c80
-
SHA1
56774e10d374a80549d06406f52514c06634c5e4
-
SHA256
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66
-
SHA512
8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e
-
SSDEEP
192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK
Static task
static1
Behavioral task
behavioral1
Sample
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66.vbs
-
Size
13KB
-
MD5
12e0264eaf14daca0cd45da32ea68c80
-
SHA1
56774e10d374a80549d06406f52514c06634c5e4
-
SHA256
5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66
-
SHA512
8d80725c889c722be19dd07bda6c8ed29d2a2d5cd8f353eb5df7f4f998538c7ca8afd08993800c7cdb2772f6b5c51e78399c51e486c19fafa29f963acdc6b66e
-
SSDEEP
192:6i9I38fdqWxBTsQqkqYK2yud66mT7LdjnPm4oTgWXvA/YJgzyv3tEQpK:1I3IddsMqYK2ndc1jO4cgZ/+GyPtLK
Score10/10-
Detects executables built or packed with MPress PE compressor
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-