General

  • Target

    11f7ede55463505baecc8fc1ebc5cc3701044389351fa3b742e5aed17d2724db

  • Size

    1.5MB

  • Sample

    220521-xzannsgacj

  • MD5

    3c4d38e9a0897587496c4167910a5c80

  • SHA1

    292b9936277840626b5ba802181b178d0f7e4388

  • SHA256

    11f7ede55463505baecc8fc1ebc5cc3701044389351fa3b742e5aed17d2724db

  • SHA512

    35be62a7232c6e88934deb8d658a1a8c5b4aa64198d02d48fd6a3ab501a76b1dc113b9eba5cdcaf55a1631054bf06b0ccb1a5dc48d411ccac09c0ef174925962

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    jana.stoeckigt@biotrouik.com
  • Password:
    _40Ejyi_+uDx

Targets

    • Target

      Seaway HBL copy & CREDIT NOTE.exe

    • Size

      1.9MB

    • MD5

      3fb5f58bb106a4fc46c7cd7d021cd9c7

    • SHA1

      4a737e64c42d64e9ef5e1cd4c81793402ba236c9

    • SHA256

      e3e7451b75ac83f674865fe1f4dd3da02cb1cb1c5015b3df36d0d2416e6c6e2b

    • SHA512

      d7292fff43cce2e04476c46aee050e965820af45c499d2b5e37dc9871d59ee48a5d87961cfe6e0ea7dfb37b40e00f0d3414f15f345640f82fbffe2b8e27d3fe7

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Collection

Email Collection

1
T1114

Tasks