General

  • Target

    9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a

  • Size

    376KB

  • Sample

    220308-nfh19sebh2

  • MD5

    c9066e9c3eabb41cea08f291b743cf38

  • SHA1

    cbceb189e6fccde97179f3c1d6570946db1aa869

  • SHA256

    9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a

  • SHA512

    0433981a6cce23508708860d1554d66610ca2779b8f76ced870a2b2b1806c385f0de51ac8f287a9cb996b98d3bc7038365ed2903cc598fd970683ecfcfb4e1fe

Malware Config

Targets

    • Target

      9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a

    • Size

      376KB

    • MD5

      c9066e9c3eabb41cea08f291b743cf38

    • SHA1

      cbceb189e6fccde97179f3c1d6570946db1aa869

    • SHA256

      9fc5158b8c28981f07b2c61573d79c49c928f4bc75f2864cd2df985e769def3a

    • SHA512

      0433981a6cce23508708860d1554d66610ca2779b8f76ced870a2b2b1806c385f0de51ac8f287a9cb996b98d3bc7038365ed2903cc598fd970683ecfcfb4e1fe

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks