General

  • Target

    16dd48e7a6240b44d87f9f2732051a6cd0c1b74c1fff59db7c91eb6fe7bfafab

  • Size

    688KB

  • Sample

    220222-tajy9sbgcj

  • MD5

    24292e5f46b397720a01668fe8489c6f

  • SHA1

    8f8e3d051613707dc9dace1b7bd6da4f97ad6bc7

  • SHA256

    16dd48e7a6240b44d87f9f2732051a6cd0c1b74c1fff59db7c91eb6fe7bfafab

  • SHA512

    978bbfb73c439de8ffa1d8b224f66d3f906465c6081a08f1aac30a84d5ea80dc63a639411de91583f71e13f8088b408dc3637d9491d64a9440e5c15808763cf8

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Paneinh1!

Targets

    • Target

      16dd48e7a6240b44d87f9f2732051a6cd0c1b74c1fff59db7c91eb6fe7bfafab

    • Size

      688KB

    • MD5

      24292e5f46b397720a01668fe8489c6f

    • SHA1

      8f8e3d051613707dc9dace1b7bd6da4f97ad6bc7

    • SHA256

      16dd48e7a6240b44d87f9f2732051a6cd0c1b74c1fff59db7c91eb6fe7bfafab

    • SHA512

      978bbfb73c439de8ffa1d8b224f66d3f906465c6081a08f1aac30a84d5ea80dc63a639411de91583f71e13f8088b408dc3637d9491d64a9440e5c15808763cf8

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks