General

  • Target

    6bbce72776f6db8f497062b29b2848b3cb12d25f083486b08a474796d548848d

  • Size

    471KB

  • Sample

    221122-yc9pxseg83

  • MD5

    14c6f1d867933d7a620e9fda2e625fa3

  • SHA1

    a1c67649619f9809b6968cb7d389d35a6fe0bb00

  • SHA256

    6bbce72776f6db8f497062b29b2848b3cb12d25f083486b08a474796d548848d

  • SHA512

    ab39f73c3e01b6d9e8b9bedb62572d474b1e65878bca6e9c8c62148ada40dc07b97a03e69c43f4f71df22e7809a540897b01933aa94c69811436a6e782ec4d68

  • SSDEEP

    12288:pCxP7vfwHzyPxNjiGMHiHBYLK+bkJKH9av1+qn390hWk:rzyPxNmuBY+RKHH8AWk

Malware Config

Targets

    • Target

      6bbce72776f6db8f497062b29b2848b3cb12d25f083486b08a474796d548848d

    • Size

      471KB

    • MD5

      14c6f1d867933d7a620e9fda2e625fa3

    • SHA1

      a1c67649619f9809b6968cb7d389d35a6fe0bb00

    • SHA256

      6bbce72776f6db8f497062b29b2848b3cb12d25f083486b08a474796d548848d

    • SHA512

      ab39f73c3e01b6d9e8b9bedb62572d474b1e65878bca6e9c8c62148ada40dc07b97a03e69c43f4f71df22e7809a540897b01933aa94c69811436a6e782ec4d68

    • SSDEEP

      12288:pCxP7vfwHzyPxNjiGMHiHBYLK+bkJKH9av1+qn390hWk:rzyPxNmuBY+RKHH8AWk

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Modifies WinLogon for persistence

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks