General
-
Target
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
-
Size
1.1MB
-
Sample
221123-q2z8safe23
-
MD5
628159cada256516f610bbe6db816f77
-
SHA1
3d707cc93337e5d875861e01e363e10be7248702
-
SHA256
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
-
SHA512
cc86a5fdc6d506c3b838ea83ced31d7264ab32296b45993f3a20af2ecd521f81dfb426eda345e4615e3505ace632b1c1a9551d418c835625ab61123b3a40d965
-
SSDEEP
24576:1ALejTbyeniCQEx88bUJevBnDa58aY+zX52t4/xpeJ2YYHv:1M4GCF8uU8cgk4tAxpsQv
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
qwerty@321
Targets
-
-
Target
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
-
Size
1.1MB
-
MD5
628159cada256516f610bbe6db816f77
-
SHA1
3d707cc93337e5d875861e01e363e10be7248702
-
SHA256
871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
-
SHA512
cc86a5fdc6d506c3b838ea83ced31d7264ab32296b45993f3a20af2ecd521f81dfb426eda345e4615e3505ace632b1c1a9551d418c835625ab61123b3a40d965
-
SSDEEP
24576:1ALejTbyeniCQEx88bUJevBnDa58aY+zX52t4/xpeJ2YYHv:1M4GCF8uU8cgk4tAxpsQv
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-