General

  • Target

    38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4

  • Size

    411KB

  • Sample

    220311-b7kyqaheeq

  • MD5

    b4fbacbccd740dc82e4f01b5254da6f9

  • SHA1

    61464744dbdc90470219c04343d50b63bdfae285

  • SHA256

    38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4

  • SHA512

    90722621d1a3b7f45ac0adae7ca1c7dad81966afdf9b1118bcdfcb9c938ef4b43c03f08eb2c6b722b529519cfe883b3e9873c4de03cb208636da2c826028caa6

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YWhoQG..GhvdG1...

Targets

    • Target

      38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4

    • Size

      411KB

    • MD5

      b4fbacbccd740dc82e4f01b5254da6f9

    • SHA1

      61464744dbdc90470219c04343d50b63bdfae285

    • SHA256

      38c8a732a5c720eb7cc5218f1ea3cf44a48f43394bbd960029d666e8332c88f4

    • SHA512

      90722621d1a3b7f45ac0adae7ca1c7dad81966afdf9b1118bcdfcb9c938ef4b43c03f08eb2c6b722b529519cfe883b3e9873c4de03cb208636da2c826028caa6

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks