General

  • Target

    9cdd721a004040f45ab3d4fbfa588ada0cc8cd769428959920be5d9cdb619540

  • Size

    999KB

  • Sample

    220724-zrjbysgcem

  • MD5

    dd0d46842443bace025185c081d7d311

  • SHA1

    809b9b78ec996ac090ffd79e5c147203990467b3

  • SHA256

    9cdd721a004040f45ab3d4fbfa588ada0cc8cd769428959920be5d9cdb619540

  • SHA512

    9406d73eba02d20ac2104bfb142a82db06267bb8002ac88053c3978d54d8765954578da65481cf289a8e78c01da6ee0c9dd01636a072d47693e29724bacecb1d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtpout.secureserver.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Livesex#2019

Targets

    • Target

      9cdd721a004040f45ab3d4fbfa588ada0cc8cd769428959920be5d9cdb619540

    • Size

      999KB

    • MD5

      dd0d46842443bace025185c081d7d311

    • SHA1

      809b9b78ec996ac090ffd79e5c147203990467b3

    • SHA256

      9cdd721a004040f45ab3d4fbfa588ada0cc8cd769428959920be5d9cdb619540

    • SHA512

      9406d73eba02d20ac2104bfb142a82db06267bb8002ac88053c3978d54d8765954578da65481cf289a8e78c01da6ee0c9dd01636a072d47693e29724bacecb1d

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks