General

  • Target

    Enquiry_pdf.exe

  • Size

    957KB

  • Sample

    201113-p9qqrl97je

  • MD5

    a8698b599aeab36b4e316b6ff1eb4169

  • SHA1

    0caa2ab74a8c5c3bd83dc0bb9fe88da205767b2b

  • SHA256

    20485e51c68bc57a9bbb2dff973ea7eecd96cf6e74272aa9f92a27c3259d7620

  • SHA512

    828ab8fcef818be538e35f541b7e766cf03f6a00758e48bc9fe19e43966219cf7397f9c1d65167723fcad9120a245b2cfdc01c2148040dc190805a9310a77e87

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.foodprocessorsng.org
  • Port:
    587
  • Username:
    members@foodprocessorsng.org
  • Password:
    Food123Member

Targets

    • Target

      Enquiry_pdf.exe

    • Size

      957KB

    • MD5

      a8698b599aeab36b4e316b6ff1eb4169

    • SHA1

      0caa2ab74a8c5c3bd83dc0bb9fe88da205767b2b

    • SHA256

      20485e51c68bc57a9bbb2dff973ea7eecd96cf6e74272aa9f92a27c3259d7620

    • SHA512

      828ab8fcef818be538e35f541b7e766cf03f6a00758e48bc9fe19e43966219cf7397f9c1d65167723fcad9120a245b2cfdc01c2148040dc190805a9310a77e87

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks