General

  • Target

    4aa2ba898c0c924d352ab195b280922a85b97970a6fa03183b6a717c547c9173

  • Size

    1.1MB

  • Sample

    201113-kv5ll2bjzj

  • MD5

    b6b3d6cdf1a21f110cad0f4102fa7385

  • SHA1

    dd087f9b2c4030ab6d441625f42d7bf472904a25

  • SHA256

    4aa2ba898c0c924d352ab195b280922a85b97970a6fa03183b6a717c547c9173

  • SHA512

    441dccc43da695a20621c9ecb95b3713eff9fe1bc8167950878199b9bf785eb8e2879b671375fbec046c632be94c652a0c5cc331268ba8cfe59fe38e801a47ca

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.casalsmd.com
  • Port:
    587
  • Username:
    carolina@casalsmd.com
  • Password:
    Carolina123

Targets

    • Target

      4aa2ba898c0c924d352ab195b280922a85b97970a6fa03183b6a717c547c9173

    • Size

      1.1MB

    • MD5

      b6b3d6cdf1a21f110cad0f4102fa7385

    • SHA1

      dd087f9b2c4030ab6d441625f42d7bf472904a25

    • SHA256

      4aa2ba898c0c924d352ab195b280922a85b97970a6fa03183b6a717c547c9173

    • SHA512

      441dccc43da695a20621c9ecb95b3713eff9fe1bc8167950878199b9bf785eb8e2879b671375fbec046c632be94c652a0c5cc331268ba8cfe59fe38e801a47ca

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks