General

  • Target

    cde560b79a71056438ff4bb8e8b754827716ec32daf1c53b4806557007364820

  • Size

    1MB

  • Sample

    201115-r7s2nq58v2

  • MD5

    884ea12c370a9599f41547092ca3aaf9

  • SHA1

    e8c76bd28cd2ca9f2fd358adddb418c83a761601

  • SHA256

    cde560b79a71056438ff4bb8e8b754827716ec32daf1c53b4806557007364820

  • SHA512

    a01f8aedf1f47a461a3344fb12042adfd2727fb1ad5b9b5d5817037bd800bb629b332b7b04aa388b7033ccb48bdfd6db3361292f277bab01192b0a6a3c98b14d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.casalsmd.com
  • Port:
    587
  • Username:
    carolina@casalsmd.com
  • Password:
    Carolina123

Targets

    • Target

      cde560b79a71056438ff4bb8e8b754827716ec32daf1c53b4806557007364820

    • Size

      1MB

    • MD5

      884ea12c370a9599f41547092ca3aaf9

    • SHA1

      e8c76bd28cd2ca9f2fd358adddb418c83a761601

    • SHA256

      cde560b79a71056438ff4bb8e8b754827716ec32daf1c53b4806557007364820

    • SHA512

      a01f8aedf1f47a461a3344fb12042adfd2727fb1ad5b9b5d5817037bd800bb629b332b7b04aa388b7033ccb48bdfd6db3361292f277bab01192b0a6a3c98b14d

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks