General

  • Target

    41660fdfa697d4683d5b6d09146074a1cb031ad2daec66fdb6c8901030c4f9bd

  • Size

    411KB

  • Sample

    220310-3beklscge8

  • MD5

    1e22786009b2133bdb16ec7efa763bce

  • SHA1

    2fee9d2454383ce2f48eeabb55472671cd6a94be

  • SHA256

    41660fdfa697d4683d5b6d09146074a1cb031ad2daec66fdb6c8901030c4f9bd

  • SHA512

    9ef315f94fbcde6e790da39dbb74b699cbd3be07b7ad4a0686ac806e886d399427bd57270855f4268844af6cc4d3430732c1e170c6d5871084aef9da3c3df8d7

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YoQG...GhvG1.....

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YWhoQG.4.hkwis...

Targets

    • Target

      41660fdfa697d4683d5b6d09146074a1cb031ad2daec66fdb6c8901030c4f9bd

    • Size

      411KB

    • MD5

      1e22786009b2133bdb16ec7efa763bce

    • SHA1

      2fee9d2454383ce2f48eeabb55472671cd6a94be

    • SHA256

      41660fdfa697d4683d5b6d09146074a1cb031ad2daec66fdb6c8901030c4f9bd

    • SHA512

      9ef315f94fbcde6e790da39dbb74b699cbd3be07b7ad4a0686ac806e886d399427bd57270855f4268844af6cc4d3430732c1e170c6d5871084aef9da3c3df8d7

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks