General

  • Target

    0496858beb4cfd6709dff2122d85e33245ff41ec53831b8fcce61fc5702bef74

  • Size

    521KB

  • Sample

    220222-3xlaaaggbk

  • MD5

    d08937ebdce1596f32967e3366fc57a4

  • SHA1

    99a8f87e17ec09a4fd93d84c099c7b3b36ba000d

  • SHA256

    0496858beb4cfd6709dff2122d85e33245ff41ec53831b8fcce61fc5702bef74

  • SHA512

    f6e4f7e7c2adf2b0c34f04197c23f97596db2b1aba89f89c217cd7eaddac8cc4450b080fc52dd27cdeb4d72313da8d89ddc415711111c24c208d6667afdcb9fd

Malware Config

Targets

    • Target

      0496858beb4cfd6709dff2122d85e33245ff41ec53831b8fcce61fc5702bef74

    • Size

      521KB

    • MD5

      d08937ebdce1596f32967e3366fc57a4

    • SHA1

      99a8f87e17ec09a4fd93d84c099c7b3b36ba000d

    • SHA256

      0496858beb4cfd6709dff2122d85e33245ff41ec53831b8fcce61fc5702bef74

    • SHA512

      f6e4f7e7c2adf2b0c34f04197c23f97596db2b1aba89f89c217cd7eaddac8cc4450b080fc52dd27cdeb4d72313da8d89ddc415711111c24c208d6667afdcb9fd

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks