General

  • Target

    11d52a6e4d492dff21d27bb1615ee4cfa34db1d6bf31f04c85dd293e20e44496

  • Size

    663KB

  • Sample

    220222-wq725sdbeq

  • MD5

    a435870fca9217e93182c4144a442270

  • SHA1

    ae6eee7bb9a17a48f0ac4d616ddc5793b86b6e33

  • SHA256

    11d52a6e4d492dff21d27bb1615ee4cfa34db1d6bf31f04c85dd293e20e44496

  • SHA512

    9ad8b790066bb3f06cd98c5ab0c3c2d3ce9cb287d40375a270398f1327957929d87f4f697855d293d9675b0b25ed99698a873f34ab9a66fff9231f5e197c4a65

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mdkgr342o3NA

Targets

    • Target

      11d52a6e4d492dff21d27bb1615ee4cfa34db1d6bf31f04c85dd293e20e44496

    • Size

      663KB

    • MD5

      a435870fca9217e93182c4144a442270

    • SHA1

      ae6eee7bb9a17a48f0ac4d616ddc5793b86b6e33

    • SHA256

      11d52a6e4d492dff21d27bb1615ee4cfa34db1d6bf31f04c85dd293e20e44496

    • SHA512

      9ad8b790066bb3f06cd98c5ab0c3c2d3ce9cb287d40375a270398f1327957929d87f4f697855d293d9675b0b25ed99698a873f34ab9a66fff9231f5e197c4a65

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks