General

  • Target

    046ebaf27a63167fb0e1cc6424a309194db9d1719d80705d1cb43ef362be1f3b

  • Size

    841KB

  • Sample

    220222-3zlntsfde9

  • MD5

    9eaf738c051fde9fb8ff432ed93386f3

  • SHA1

    218640a2467337f4256e25b7089b362e10e3f651

  • SHA256

    046ebaf27a63167fb0e1cc6424a309194db9d1719d80705d1cb43ef362be1f3b

  • SHA512

    5449479b757c6b7e3a9e4a6e17d4c03cf805c040839fbff0100422e1658aa0ed95f1ff8bbf462131360016d1e8b9b5b98e457b8ace8496fcdb815b4ac0a1d3a7

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ikbenmarco234!

Targets

    • Target

      046ebaf27a63167fb0e1cc6424a309194db9d1719d80705d1cb43ef362be1f3b

    • Size

      841KB

    • MD5

      9eaf738c051fde9fb8ff432ed93386f3

    • SHA1

      218640a2467337f4256e25b7089b362e10e3f651

    • SHA256

      046ebaf27a63167fb0e1cc6424a309194db9d1719d80705d1cb43ef362be1f3b

    • SHA512

      5449479b757c6b7e3a9e4a6e17d4c03cf805c040839fbff0100422e1658aa0ed95f1ff8bbf462131360016d1e8b9b5b98e457b8ace8496fcdb815b4ac0a1d3a7

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks