General

  • Target

    1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556

  • Size

    411KB

  • Sample

    220222-she5lsace3

  • MD5

    b624e6c14c4aa9c7319981e0410172d8

  • SHA1

    5fe043e18dec32d4045e38fb3bc2f9a700b7079f

  • SHA256

    1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556

  • SHA512

    b8d083728c28b53146e3c1a552fd24125a39ea0c64640dcf6d43e1809f92b7f563edde715c56d7b7bddc8e05db7fddc096367b5448b329b5a45921eda3f74e5e

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YWhoQG..Ghkwis.

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YWhoQG..GhwvdG..

Targets

    • Target

      1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556

    • Size

      411KB

    • MD5

      b624e6c14c4aa9c7319981e0410172d8

    • SHA1

      5fe043e18dec32d4045e38fb3bc2f9a700b7079f

    • SHA256

      1886ade5c22849aeb83a3977f0ce1296212afc2e3d60d96be0ecc6c7ee0a4556

    • SHA512

      b8d083728c28b53146e3c1a552fd24125a39ea0c64640dcf6d43e1809f92b7f563edde715c56d7b7bddc8e05db7fddc096367b5448b329b5a45921eda3f74e5e

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks