Overview

overview

10

Static

static

Account Re...on.exe

windows7_x64

10

Account Re...on.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1720267c013b2a2146c0a04e6436d3e7d60c5a9344f58156f8eb0f938053dc81

  • Size

    646KB

  • Sample

    220520-2m6mssafhk

  • MD5

    a702737ad60166f2d7a73cdfc5458f59

  • SHA1

    2f920e5acaae78b4b64224a22506e2a149e3af3f

  • SHA256

    1720267c013b2a2146c0a04e6436d3e7d60c5a9344f58156f8eb0f938053dc81

  • SHA512

    7f291865ff803928df9ef5e17cfc3d4e485cf04f645f4129c649a713a1216170577e2c5b7a19d6fd7e948a1735d0576a8ad7fac849c53f7ca3788519c2b1de1c

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.grandinnabalibeach.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pur6188

Targets

    • Target

      Account Reconciliation.exe

    • Size

      734KB

    • MD5

      110a88034d9e642e19edf614022f99a9

    • SHA1

      5d7f28c30e7abf2795414f7b4276013853f3dc57

    • SHA256

      8a2e8c8992d6372ae7d7e4dbb4a8352fa756b7dd4e4822ff0204c2717568812a

    • SHA512

      fbeea4b1db2316a2ca5d6ea6517151e9433565a6a2641b51337f3f5c2d2a6c196e8dbd3c464a462f1abb87b8fcd0af258b3d1414a62a24e671ffc777856eeb59

    Score
    10/10
    hawkeyecollectionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks