General

  • Target

    3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f

  • Size

    652KB

  • Sample

    220310-3q2cxsgack

  • MD5

    9ecac63c5ba5398ed06ab220bc7cf275

  • SHA1

    e5e23a32e8e0bfef5e5790159b12f4d20bc6e302

  • SHA256

    3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f

  • SHA512

    bb58b1f3a263afaa17b71b4f740d24f4b8735b8f8ddb66c107e6a19f5029912ce499eb400b1ab8b5dcc8c933b6a5b6746f8d0c789bef9f4e8079bb26c45456c0

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Kopi1313

Targets

    • Target

      3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f

    • Size

      652KB

    • MD5

      9ecac63c5ba5398ed06ab220bc7cf275

    • SHA1

      e5e23a32e8e0bfef5e5790159b12f4d20bc6e302

    • SHA256

      3fd287850eb8c233c9691a2296839f34cf3308f2befab7ea7b1405a040cc0d9f

    • SHA512

      bb58b1f3a263afaa17b71b4f740d24f4b8735b8f8ddb66c107e6a19f5029912ce499eb400b1ab8b5dcc8c933b6a5b6746f8d0c789bef9f4e8079bb26c45456c0

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks