General

  • Target

    10faeecf86f1697e7b24730a26e986d080dfb9182e7f1a7a746beee818742fdf

  • Size

    762KB

  • Sample

    220222-w4azkacbh9

  • MD5

    ac9d4c41b5aaaa15531d97536b0b10f3

  • SHA1

    503af6e4d3733a6a840d4033c72067cbe25141b2

  • SHA256

    10faeecf86f1697e7b24730a26e986d080dfb9182e7f1a7a746beee818742fdf

  • SHA512

    137a1a47ea9852fe209ee3fd08e7293e2dbfbc38e832529d2e85b6add2872fbad6d22edd95164b22a294d5d7798a262cf75bf4afafb60d05833bd23eaf953056

Malware Config

Extracted

Credentials

Targets

    • Target

      10faeecf86f1697e7b24730a26e986d080dfb9182e7f1a7a746beee818742fdf

    • Size

      762KB

    • MD5

      ac9d4c41b5aaaa15531d97536b0b10f3

    • SHA1

      503af6e4d3733a6a840d4033c72067cbe25141b2

    • SHA256

      10faeecf86f1697e7b24730a26e986d080dfb9182e7f1a7a746beee818742fdf

    • SHA512

      137a1a47ea9852fe209ee3fd08e7293e2dbfbc38e832529d2e85b6add2872fbad6d22edd95164b22a294d5d7798a262cf75bf4afafb60d05833bd23eaf953056

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Modifies visiblity of hidden/system files in Explorer

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks