Extracted

• • Target

    fijewh.zip

  • Size

    36.0MB

  • MD5

    7e6d7c0df23672babd30f9543916ca52

  • SHA1

    0571efe4079a95cb118d79f8c87cdb8694193973

  • SHA256

    ea5e0d5f12deeb25573cc7fcade7327945d5e4778c1569e189dc483e96583cbc

  • SHA512

    010799374e9bb476c248ecd326ef67e076959b92da685c538b7f4bd4b94570a3e3cf43d64cd52b2a127dc15e2f11b41e1ea2d8c32fd9019f7272538311baf8c2

  • SSDEEP

    393216:dGRv1cKZdpkm4SNOFXT+93GRv1cKZdpkm4SNOFXT+9ZEcnTXHfV18f49bWUccq:G/dkUsTD/dkUsTwECL/nXbW2q

  Score

  10^/10

  fabookiemimikatzponysocelarscollectioncredential_accessdiscoverypersistenceratspywarestealerupxvmprotect

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • Mimikatz family

    mimikatz

  • Pony family

    pony

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars family

    socelars

  • Socelars payload

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • mimikatz is an open source tool to dump credentials on Windows

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1