General

  • Target

    NDt93WWQwd089H7.exe

  • Size

    1.3MB

  • Sample

    210112-5tg1ss9t32

  • MD5

    0f330f518f4f71f0735cce4eaf1612d7

  • SHA1

    f34909417588543112974ebbc0fa8236a8a604c1

  • SHA256

    702554b4a0770d70bd5972318d2294ef2b26001595b574d122264b8c1793457c

  • SHA512

    ee5ec83814a64c56bdfdaec885396c86364ccf5bd7eaa25b3bdd2c43c6a8c7427bdf2a7514a7c0043294cdf7c9b89699a818ca65d5e4ef6f5d04c0de94597db3

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Targets

    • Target

      NDt93WWQwd089H7.exe

    • Size

      1.3MB

    • MD5

      0f330f518f4f71f0735cce4eaf1612d7

    • SHA1

      f34909417588543112974ebbc0fa8236a8a604c1

    • SHA256

      702554b4a0770d70bd5972318d2294ef2b26001595b574d122264b8c1793457c

    • SHA512

      ee5ec83814a64c56bdfdaec885396c86364ccf5bd7eaa25b3bdd2c43c6a8c7427bdf2a7514a7c0043294cdf7c9b89699a818ca65d5e4ef6f5d04c0de94597db3

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Tasks