Overview

overview

10

Static

static

4a77080b5e...da.exe

windows7_x64

10

4a77080b5e...da.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da

  • Size

    599KB

  • Sample

    220712-qehp8aecf9

  • MD5

    fc749757fb4f8b8f4ba51ccd2e24d83e

  • SHA1

    8e822fb513966cdddeab856cc865bd54e90acf2e

  • SHA256

    4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da

  • SHA512

    ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273

Score
10/10
hawkeyecollectiondiscoverykeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.grefas.co.th
  • Port:
    587
  • Username:
    rachane@grefas.co.th
  • Password:
    Cream3040

Targets

    • Target

      4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da

    • Size

      599KB

    • MD5

      fc749757fb4f8b8f4ba51ccd2e24d83e

    • SHA1

      8e822fb513966cdddeab856cc865bd54e90acf2e

    • SHA256

      4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da

    • SHA512

      ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273

    Score
    10/10
    hawkeyecollectiondiscoverykeyloggerspywarestealertrojanpersistencesuricata

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

      suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

      suricata

    • suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters

      suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters

      suricata

    • suricata: ET MALWARE Zbot POST Request to C2

      suricata: ET MALWARE Zbot POST Request to C2

      suricata

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks