General

  • Target

    64a73cc4e0b19852bf4d37ef96d8c80ace2eb7a810807d8516353d5e8124a85b

  • Size

    469KB

  • Sample

    221123-lndemsbg69

  • MD5

    281301ef0a83967024fb992845b603a0

  • SHA1

    5e84df4a2fe03de8bb25a916b5759abdcb446aa6

  • SHA256

    64a73cc4e0b19852bf4d37ef96d8c80ace2eb7a810807d8516353d5e8124a85b

  • SHA512

    4cd90a7cd0c8acfd8fb16c434cd7a1af46f5a3eb9aee8a20315fb441eeb0b7bd9d97a4110410baedab06c81ba8c71ef90d820577d366b7ed447486d6f88831a5

  • SSDEEP

    12288:nvYoZfvS2EYifLrH8MdW9ibn0C+CKp45:nwoZfvWLxoyn0DCD5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    4949solo

Targets

    • Target

      64a73cc4e0b19852bf4d37ef96d8c80ace2eb7a810807d8516353d5e8124a85b

    • Size

      469KB

    • MD5

      281301ef0a83967024fb992845b603a0

    • SHA1

      5e84df4a2fe03de8bb25a916b5759abdcb446aa6

    • SHA256

      64a73cc4e0b19852bf4d37ef96d8c80ace2eb7a810807d8516353d5e8124a85b

    • SHA512

      4cd90a7cd0c8acfd8fb16c434cd7a1af46f5a3eb9aee8a20315fb441eeb0b7bd9d97a4110410baedab06c81ba8c71ef90d820577d366b7ed447486d6f88831a5

    • SSDEEP

      12288:nvYoZfvS2EYifLrH8MdW9ibn0C+CKp45:nwoZfvWLxoyn0DCD5

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks