General

  • Target

    6351df97ad5c397ca6f90b7344b534dd95ad10e3945dce4766c52615af96ba86

  • Size

    1.5MB

  • Sample

    201115-dw7fhwgx52

  • MD5

    2ebcbce3a454b07ae4bef1f9bdf1aeed

  • SHA1

    203022baa8bd7d52fd1066e9afc99b1039e6707e

  • SHA256

    6351df97ad5c397ca6f90b7344b534dd95ad10e3945dce4766c52615af96ba86

  • SHA512

    890750941efdd6326247a98bd59363a4144e6913add614ebf746360855a13c6c55db03b6e6edc4023d4ec2ac1547dc1bc17df9a0c3925e3d71e93b966554d555

Malware Config

Targets

    • Target

      6351df97ad5c397ca6f90b7344b534dd95ad10e3945dce4766c52615af96ba86

    • Size

      1.5MB

    • MD5

      2ebcbce3a454b07ae4bef1f9bdf1aeed

    • SHA1

      203022baa8bd7d52fd1066e9afc99b1039e6707e

    • SHA256

      6351df97ad5c397ca6f90b7344b534dd95ad10e3945dce4766c52615af96ba86

    • SHA512

      890750941efdd6326247a98bd59363a4144e6913add614ebf746360855a13c6c55db03b6e6edc4023d4ec2ac1547dc1bc17df9a0c3925e3d71e93b966554d555

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks