Overview

overview

10

Static

static

5

Purchase O...EE.exe

windows7_x64

10

Purchase O...EE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    92c85e11f297d167ac13774cd32ae7106f11f295251be0983990b150a8e3b576

  • Size

    1.3MB

  • Sample

    220521-w7l61abba3

  • MD5

    833fd320bd8561f6b5a0d9edce0697f8

  • SHA1

    4b798e87d2cbe2e93f35a3a8f3dfa2ee99e9c03f

  • SHA256

    92c85e11f297d167ac13774cd32ae7106f11f295251be0983990b150a8e3b576

  • SHA512

    0d72ee76ee0ba1dd3d6f03084b1b8590e472d614fc8018d1863bed6f13e67f51c1e4c9d2d0a3be7834cc06463e4837d612e5e8701e6593ce043d82cb0b746466

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    outback.websitewelcome.com
  • Port:
    587
  • Username:
    sungearmotors@2020weddingeventz2.com
  • Password:
    chukwuma12

Targets

    • Target

      Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.EXE

    • Size

      1.8MB

    • MD5

      cc5e307e68ccb5b363a1d8125e0edfb1

    • SHA1

      0937747b83e0624bec024daadeaf5c7effdbcb36

    • SHA256

      82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5

    • SHA512

      ac464272963a2208cf7061e22c75d2ae5b9c76ade74cd1c21aeb28690d2d2ccee45c2cfafe09ad588a56a802f438dfc9a56e60792f87e483db727b8286968815

    Score
    10/10
    hawkeyecollectionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks