Overview

overview

10

Static

static

209e6e8d79...d2.exe

windows7_x64

10

209e6e8d79...d2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2

  • Size

    1.1MB

  • Sample

    201109-fffnz9qkzn

  • MD5

    16c0e0a3dd6944e96b65f60d35608260

  • SHA1

    95e8a95386545036d39dc8bd18465753ba7fee1a

  • SHA256

    209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2

  • SHA512

    e60377f2486a2d6185c5d6d1cec68447fd56c74006b933961ae617ba9ebadc99457a7c20aeb9adfa98293755892e2db8b2f39a34d424f8ad885287747ab1abb0

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.casalsmd.com
  • Port:
    587
  • Username:
    carolina@casalsmd.com
  • Password:
    Carolina123

Targets

    • Target

      209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2

    • Size

      1.1MB

    • MD5

      16c0e0a3dd6944e96b65f60d35608260

    • SHA1

      95e8a95386545036d39dc8bd18465753ba7fee1a

    • SHA256

      209e6e8d79007d812728aa097b8707afc96e86b68652011d6cbe87b0789da6d2

    • SHA512

      e60377f2486a2d6185c5d6d1cec68447fd56c74006b933961ae617ba9ebadc99457a7c20aeb9adfa98293755892e2db8b2f39a34d424f8ad885287747ab1abb0

    Score
    10/10
    hawkeyekeyloggerpersistencespywarestealertrojanupx

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks