General

  • Target

    3e2cf7204f98e827ef8e019dc51e5f2d8b337dc2df78fa2d9c825f257a48f922

  • Size

    1.5MB

  • Sample

    220311-ah52xsgddn

  • MD5

    4e133307ad0fc30c52b01eb6512c1d93

  • SHA1

    727cc5f60ae68de4df876de0ad4ca767c52aa5ea

  • SHA256

    3e2cf7204f98e827ef8e019dc51e5f2d8b337dc2df78fa2d9c825f257a48f922

  • SHA512

    22c711622aa9666a6aacf3c6c26371a29b8fbdc2dc1d4b5c26d089c0fffb282dd76bb1588b161583bed46c176fa4bd24f4b184c38e81e7725a9cdf618ed6d0a3

Malware Config

Targets

    • Target

      3e2cf7204f98e827ef8e019dc51e5f2d8b337dc2df78fa2d9c825f257a48f922

    • Size

      1.5MB

    • MD5

      4e133307ad0fc30c52b01eb6512c1d93

    • SHA1

      727cc5f60ae68de4df876de0ad4ca767c52aa5ea

    • SHA256

      3e2cf7204f98e827ef8e019dc51e5f2d8b337dc2df78fa2d9c825f257a48f922

    • SHA512

      22c711622aa9666a6aacf3c6c26371a29b8fbdc2dc1d4b5c26d089c0fffb282dd76bb1588b161583bed46c176fa4bd24f4b184c38e81e7725a9cdf618ed6d0a3

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks