General

  • Target

    3be48133e44005e49fd79e90ec772908de27525161c8f0d27dc56b0c5ff299b4

  • Size

    628KB

  • Sample

    220311-a7149sdhc4

  • MD5

    e4fa59bead098cee4eada7bc3206f6bd

  • SHA1

    79ebc794d26b0bb9759974c018c7e74d81bec124

  • SHA256

    3be48133e44005e49fd79e90ec772908de27525161c8f0d27dc56b0c5ff299b4

  • SHA512

    7579b603f2a3877e22abf0403ff1c6f2b601974ecd7e2d1cef0ce21143ea22ebf17e05faa0015b1317e3a3aa6b3313aae94307d38a1704679161fbb1a39c8914

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Drachen123!

Targets

    • Target

      3be48133e44005e49fd79e90ec772908de27525161c8f0d27dc56b0c5ff299b4

    • Size

      628KB

    • MD5

      e4fa59bead098cee4eada7bc3206f6bd

    • SHA1

      79ebc794d26b0bb9759974c018c7e74d81bec124

    • SHA256

      3be48133e44005e49fd79e90ec772908de27525161c8f0d27dc56b0c5ff299b4

    • SHA512

      7579b603f2a3877e22abf0403ff1c6f2b601974ecd7e2d1cef0ce21143ea22ebf17e05faa0015b1317e3a3aa6b3313aae94307d38a1704679161fbb1a39c8914

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks