General

  • Target

    4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385

  • Size

    958KB

  • Sample

    220712-ptt65adbd8

  • MD5

    23a7baa2d44b93d838ff6abe52cf6cc2

  • SHA1

    2a38e25c63646a39cb8538489c49c5d57b1dcee2

  • SHA256

    4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385

  • SHA512

    17ebe33be7827c48c67965968df4cc0256237f67c6d279982896f78ebb4766b2d8796be49af8c1b75791c9cdbcdddaf83620c4302f2cf1ec5063f39a92d7b0ce

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ifeanyi1987

Targets

    • Target

      4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385

    • Size

      958KB

    • MD5

      23a7baa2d44b93d838ff6abe52cf6cc2

    • SHA1

      2a38e25c63646a39cb8538489c49c5d57b1dcee2

    • SHA256

      4aa2b0ad01e19160db78a327fa0080f13ef0b6fb514b36d64430a4f08d356385

    • SHA512

      17ebe33be7827c48c67965968df4cc0256237f67c6d279982896f78ebb4766b2d8796be49af8c1b75791c9cdbcdddaf83620c4302f2cf1ec5063f39a92d7b0ce

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks