General

  • Target

    1042650e65868ec4b6f9ff04f29b9fbc64cfd565564fec7c3f4f239fb157c783

  • Size

    506KB

  • Sample

    220222-xd7fhscdd9

  • MD5

    12ec668e83b3888c07f46ae1288c7cba

  • SHA1

    b12be2f342c2aba4237b913186db8c4126435065

  • SHA256

    1042650e65868ec4b6f9ff04f29b9fbc64cfd565564fec7c3f4f239fb157c783

  • SHA512

    5dda8fe3b1d25d6f24b408a6c76a00bfc0d73a9362c496e39fd03aeb7999ddc3632bfa2bed948dcb697f422e32716da7174c578d614ac06a6f25d5f97b1c9a88

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    damiangoogle10

Targets

    • Target

      1042650e65868ec4b6f9ff04f29b9fbc64cfd565564fec7c3f4f239fb157c783

    • Size

      506KB

    • MD5

      12ec668e83b3888c07f46ae1288c7cba

    • SHA1

      b12be2f342c2aba4237b913186db8c4126435065

    • SHA256

      1042650e65868ec4b6f9ff04f29b9fbc64cfd565564fec7c3f4f239fb157c783

    • SHA512

      5dda8fe3b1d25d6f24b408a6c76a00bfc0d73a9362c496e39fd03aeb7999ddc3632bfa2bed948dcb697f422e32716da7174c578d614ac06a6f25d5f97b1c9a88

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks