General

  • Target

    2de29c17c68dd52af710a954c63d331e6b7e2fdb914c9122ea5cd6652943c216

  • Size

    934KB

  • Sample

    220622-qha5jsaae8

  • MD5

    6ca909d83984034a7c5e10651f013fbf

  • SHA1

    31acefacff84d791f1f5a89c3af0d4cdeaede3ca

  • SHA256

    2de29c17c68dd52af710a954c63d331e6b7e2fdb914c9122ea5cd6652943c216

  • SHA512

    990f9dda388d71557e216f46fbc43c6fadb6c5927f4865c7f83080c66254ab29c9a54bb025551ec9976ef9f928336272e6ceac18560de440f703c5497fa8b1e0

Malware Config

Targets

    • Target

      2de29c17c68dd52af710a954c63d331e6b7e2fdb914c9122ea5cd6652943c216

    • Size

      934KB

    • MD5

      6ca909d83984034a7c5e10651f013fbf

    • SHA1

      31acefacff84d791f1f5a89c3af0d4cdeaede3ca

    • SHA256

      2de29c17c68dd52af710a954c63d331e6b7e2fdb914c9122ea5cd6652943c216

    • SHA512

      990f9dda388d71557e216f46fbc43c6fadb6c5927f4865c7f83080c66254ab29c9a54bb025551ec9976ef9f928336272e6ceac18560de440f703c5497fa8b1e0

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks