Overview

overview

10

Static

static

PO-1151.scr

windows7_x64

10

PO-1151.scr

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a25bc737fa918f9299e2cef22882504acd249787fa9fa181b6a7ef044c0ee556

  • Size

    736KB

  • Sample

    220521-aba8zacgej

  • MD5

    7350f0532cd05fd7c4c46a364221bf99

  • SHA1

    7b01b524aec1cc30a060fae2917839e5739d7fed

  • SHA256

    a25bc737fa918f9299e2cef22882504acd249787fa9fa181b6a7ef044c0ee556

  • SHA512

    2d04fe8b5cee199ac29d075df6e48153f5efa118af22997213b5280fcc8f761ed2ef18e154860c78f604b3c706d9c2779a14ed10286ca293253e0093750267f7

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    payments00

Targets

    • Target

      PO-1151.scr

    • Size

      854KB

    • MD5

      e10e52b1b63ab576d01720563cbc3e1e

    • SHA1

      c94588afb551c9f0350f6c9ccbe1696244b61a89

    • SHA256

      a72abccbb65d45e50e2bdac6fbfcc3832af2be5e8bb2c20904674b8e59fc667c

    • SHA512

      cc327eacdcf59fadcc11d9cf6302afcd503d51241869f3601477d9856daabdd132b9ac14c859b71732d352f68cfdb00fbf85d6f99b6a53fad342ca9e287a06b8

    Score
    10/10
    hawkeyecollectionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks