General
-
Target
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe
-
Size
742KB
-
Sample
241119-e76f7s1dlr
-
MD5
9e86c85f3d451e8a8716c39dbe28379a
-
SHA1
c23ac963949b1c91ae566be269971e72808376a7
-
SHA256
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
-
SHA512
f8a4c42b41e3d4333120ad76701fff135f64805e558a4cf50fad17f86af1ed71ce4bbc34ab2128d72caa9029e76b30d29be29ba5a6873315538c3949b8cfa422
-
SSDEEP
12288:txGQ/w/DKicDR4RBAwFV340O5BZOKhNSRmDSuo8ukI/Px6VqlZz6oa5Nlt4pWG:PGQYLPRBAwFVo0O5BZOKhNZ9I4UlZmdO
Static task
static1
Behavioral task
behavioral1
Sample
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe
Resource
win7-20240903-en
Malware Config
Extracted
Protocol: smtp- Host:
webmail.mts.rs - Port:
587 - Username:
[email protected] - Password:
Tptadic
Targets
-
-
Target
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe
-
Size
742KB
-
MD5
9e86c85f3d451e8a8716c39dbe28379a
-
SHA1
c23ac963949b1c91ae566be269971e72808376a7
-
SHA256
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
-
SHA512
f8a4c42b41e3d4333120ad76701fff135f64805e558a4cf50fad17f86af1ed71ce4bbc34ab2128d72caa9029e76b30d29be29ba5a6873315538c3949b8cfa422
-
SSDEEP
12288:txGQ/w/DKicDR4RBAwFV340O5BZOKhNSRmDSuo8ukI/Px6VqlZz6oa5Nlt4pWG:PGQYLPRBAwFVo0O5BZOKhNZ9I4UlZmdO
-
Hawkeye family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-