General

  • Target

    3bb66ff8b54e191bd80f8ac996c0b3376d1a62a88fa7c1944aa2ff2015c6296e

  • Size

    572KB

  • Sample

    220311-a94m6sghbk

  • MD5

    dd60950e856c90f0b22b94067698ab73

  • SHA1

    50cc436cbdd510d78d3e077ba45d5f8b854cf7e0

  • SHA256

    3bb66ff8b54e191bd80f8ac996c0b3376d1a62a88fa7c1944aa2ff2015c6296e

  • SHA512

    1da7c73863ba9834e162d56811486db594337f4c9fa26afa8f143703f3fa8a0a1a95a6232fc47d0e55212cb2099dd75c68b51844d6719fc8747367f4e92c9d8d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ApostolJord1q2w4r3e5t6y

Targets

    • Target

      3bb66ff8b54e191bd80f8ac996c0b3376d1a62a88fa7c1944aa2ff2015c6296e

    • Size

      572KB

    • MD5

      dd60950e856c90f0b22b94067698ab73

    • SHA1

      50cc436cbdd510d78d3e077ba45d5f8b854cf7e0

    • SHA256

      3bb66ff8b54e191bd80f8ac996c0b3376d1a62a88fa7c1944aa2ff2015c6296e

    • SHA512

      1da7c73863ba9834e162d56811486db594337f4c9fa26afa8f143703f3fa8a0a1a95a6232fc47d0e55212cb2099dd75c68b51844d6719fc8747367f4e92c9d8d

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks