General

  • Target

    ec021f264e15c9d1c6cf8a5b12325f76d3218abc56927abd63180c3067d24938

  • Size

    1.1MB

  • Sample

    201115-atw27pkxyx

  • MD5

    ae1a45894dba2a1a2c003cadd08a2821

  • SHA1

    7ea24923c3403fb72dd186a85221a6e077165b69

  • SHA256

    ec021f264e15c9d1c6cf8a5b12325f76d3218abc56927abd63180c3067d24938

  • SHA512

    1f0e4c19e8533a09e4e6ea034a0877ce27d89f9b1c8a7cff88bc35ac892703282d6627005ce219ed63d253c9cd3bd703b292bb583b1d9f17f9c6994338bfe8db

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.casalsmd.com
  • Port:
    587
  • Username:
    carolina@casalsmd.com
  • Password:
    Carolina123

Targets

    • Target

      ec021f264e15c9d1c6cf8a5b12325f76d3218abc56927abd63180c3067d24938

    • Size

      1.1MB

    • MD5

      ae1a45894dba2a1a2c003cadd08a2821

    • SHA1

      7ea24923c3403fb72dd186a85221a6e077165b69

    • SHA256

      ec021f264e15c9d1c6cf8a5b12325f76d3218abc56927abd63180c3067d24938

    • SHA512

      1f0e4c19e8533a09e4e6ea034a0877ce27d89f9b1c8a7cff88bc35ac892703282d6627005ce219ed63d253c9cd3bd703b292bb583b1d9f17f9c6994338bfe8db

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks