General

  • Target

    011b1cf689d5fe18e8ee572209a1bc23a9d904e7075f4a9ef75dae093f988d87

  • Size

    673KB

  • Sample

    220223-bt3xdahfck

  • MD5

    0f4c9e0582c77d8a5cd6532de4297f76

  • SHA1

    1f870df3cf70c0ce7fd451a5e07b10d7dd564c5c

  • SHA256

    011b1cf689d5fe18e8ee572209a1bc23a9d904e7075f4a9ef75dae093f988d87

  • SHA512

    eb49b81ac248eed4c49bcf1ed2be2e858d1e8c77d62bbdded947db39c67124d237763efa98e522df60f8c81eb2a2886bf75fe8419cfb90d2773687c8b9ded165

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    eagle-eyed-breakdow

Targets

    • Target

      011b1cf689d5fe18e8ee572209a1bc23a9d904e7075f4a9ef75dae093f988d87

    • Size

      673KB

    • MD5

      0f4c9e0582c77d8a5cd6532de4297f76

    • SHA1

      1f870df3cf70c0ce7fd451a5e07b10d7dd564c5c

    • SHA256

      011b1cf689d5fe18e8ee572209a1bc23a9d904e7075f4a9ef75dae093f988d87

    • SHA512

      eb49b81ac248eed4c49bcf1ed2be2e858d1e8c77d62bbdded947db39c67124d237763efa98e522df60f8c81eb2a2886bf75fe8419cfb90d2773687c8b9ded165

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks