2e6a6b1db04bcd6cf3f8520fecb998c1825de8bf5d00fcb18cab997d7730dc71

General
Target

2e6a6b1db04bcd6cf3f8520fecb998c1825de8bf5d00fcb18cab997d7730dc71

Size

531KB

Sample

220521-xhdzrsbgc5

Score
10 /10
MD5

28f1ac7d585f7c7930c6aec0f0ae8d7a

SHA1

b7f8ad202c56286e752d8c77a9caef20fac8a447

SHA256

2e6a6b1db04bcd6cf3f8520fecb998c1825de8bf5d00fcb18cab997d7730dc71

SHA512

4ab7707cba28026affd5f57ed0a6f78a58fed0a9acaa4b8465995e87fff2ec5e3cd08dae8c49598a636ceddf26cbe31f3761501b2fb0a39cdcbdda395dc6f208

Malware Config

Extracted

Credentials

Protocol: smtp

Host: webmail.tos-thailand.com

Port: 587

Username: sudarat.k@tos-thailand.com

Password: P@ssw0rd

Targets
Target

PO9087665788.exe

MD5

105cab9441e63917a5c774c36ab801c6

Filesize

825KB

Score
10/10
SHA1

c343476262267c46ebee6cf8683de3620ca938d0

SHA256

60a50c08aad635ae204be365b12b1dce34134c62b25c74aa5dc4a2e02aa75771

SHA512

5d63d1389d52f1d0459db03d3aab90a4d555e22e3d0773ffe5ad8e0a35a319b67c2dfc0d435a2592b684308cfb8b8e3de6cdb4468d8cafffea594a5e7c6521a3

Tags

Signatures

  • HawkEye

    Description

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    Tags

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook accounts

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation