General

  • Target

    4bd7075cfacf1940c00cb60328ee20190a618d38023e2cb35a302a3903435b5d

  • Size

    744KB

  • Sample

    221122-yebwnsac81

  • MD5

    2a5c407e1e79a2291a6920a023eac0c3

  • SHA1

    7ac9bab12fd48ae21f59cdef5bb8e4fdb99f6f89

  • SHA256

    4bd7075cfacf1940c00cb60328ee20190a618d38023e2cb35a302a3903435b5d

  • SHA512

    5204916f50def7bcefebcb2dd33410e7af7ed952f64a3ad2da9cc495be85813d055692d3b469eb5094c0938ecc04d5f70bd9541e9ff824a76c3369661cbd6705

  • SSDEEP

    12288:8hvk3gqRvyIF0uR5vWPz6qQrKfDT3BwhmlI8Aq:gXOWL7zAq

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.strato.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    220-bjcfrank

Targets

    • Target

      4bd7075cfacf1940c00cb60328ee20190a618d38023e2cb35a302a3903435b5d

    • Size

      744KB

    • MD5

      2a5c407e1e79a2291a6920a023eac0c3

    • SHA1

      7ac9bab12fd48ae21f59cdef5bb8e4fdb99f6f89

    • SHA256

      4bd7075cfacf1940c00cb60328ee20190a618d38023e2cb35a302a3903435b5d

    • SHA512

      5204916f50def7bcefebcb2dd33410e7af7ed952f64a3ad2da9cc495be85813d055692d3b469eb5094c0938ecc04d5f70bd9541e9ff824a76c3369661cbd6705

    • SSDEEP

      12288:8hvk3gqRvyIF0uR5vWPz6qQrKfDT3BwhmlI8Aq:gXOWL7zAq

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks