General

  • Target

    R2607210998764553.doc

  • Size

    1MB

  • Sample

    210727-6j8pv1lbsa

  • MD5

    c37d902c03a12a87e5394f849ae966d3

  • SHA1

    8b4a32210a84fe179b97b211e05bccec0a377789

  • SHA256

    5c783a84eb7784ccab875c4ec73f44f99a6e443ef7c5dcfaaaa9f2e23f71e072

  • SHA512

    1f0b42a167ff8e97c51d269048668ac39f9563e709b125b839b443dfa0e3b499f131a63404a80bf9631859f5fc7165e66844eb31e5b29f0351e03f7fdebfbc9b

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.vngpack.com
  • Port:
    21
  • Username:
    newloggsaa@vngpack.com
  • Password:
    Xpen2000

Targets

    • Target

      R2607210998764553.doc

    • Size

      1MB

    • MD5

      c37d902c03a12a87e5394f849ae966d3

    • SHA1

      8b4a32210a84fe179b97b211e05bccec0a377789

    • SHA256

      5c783a84eb7784ccab875c4ec73f44f99a6e443ef7c5dcfaaaa9f2e23f71e072

    • SHA512

      1f0b42a167ff8e97c51d269048668ac39f9563e709b125b839b443dfa0e3b499f131a63404a80bf9631859f5fc7165e66844eb31e5b29f0351e03f7fdebfbc9b

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • suricata: ET MALWARE HawkEye Keylogger FTP

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks