General

  • Target

    3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560

  • Size

    1.1MB

  • Sample

    221122-xpx18adg35

  • MD5

    c311711a2b54c663916925c8d1171881

  • SHA1

    946d5729d2fa83a4f2f56f29d1f2271dd2cf34af

  • SHA256

    3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560

  • SHA512

    64bbed820440494ae76a63f8517c8781b6903100e3c41b253dbd276dd90ae6371db4626a7aa78ff76efe9f78a76a903677e14f14ba13c2cf329d8217c09502c7

  • SSDEEP

    24576:L72nfRhfpJo+WdC6OJilSdh1l6NYZMeL/3C5essn17hiUMJ:vkJhxJmc64WSn1lvZtbC53sn1liUM

Malware Config

Targets

    • Target

      3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560

    • Size

      1.1MB

    • MD5

      c311711a2b54c663916925c8d1171881

    • SHA1

      946d5729d2fa83a4f2f56f29d1f2271dd2cf34af

    • SHA256

      3857aff7641664e134111eb7e2f373ccc2824d5be5f614b0a2992646b87e6560

    • SHA512

      64bbed820440494ae76a63f8517c8781b6903100e3c41b253dbd276dd90ae6371db4626a7aa78ff76efe9f78a76a903677e14f14ba13c2cf329d8217c09502c7

    • SSDEEP

      24576:L72nfRhfpJo+WdC6OJilSdh1l6NYZMeL/3C5essn17hiUMJ:vkJhxJmc64WSn1lvZtbC53sn1liUM

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Modifies WinLogon for persistence

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks