General

  • Target

    ac58566b0816ed10555d42d221bf5c12a70754e33b76adaf38253786ce57fa71

  • Size

    424KB

  • Sample

    221123-qnth3sed87

  • MD5

    aa764c52771914cdfb3f246162ff407c

  • SHA1

    a05a64765f4809ab09d6c38eaa6cfe12e6a10905

  • SHA256

    ac58566b0816ed10555d42d221bf5c12a70754e33b76adaf38253786ce57fa71

  • SHA512

    c3b522ca6530220435fa027d17e905dbf7ad9991e9e65d07ddad0e8cb51f55e479f35d11f2e289beda3d2c24bc7aef8c583a2b13df93598e495a1e734e6e5146

  • SSDEEP

    6144:RtvAvgwGaWEWS7WjpCwhj8cuEMDTr8x3EsznmkVq78+OYxsy2v6qF8rbJVktqB5u:7AvgmWS7WjGcsX8Okdq78r9VFw7JT1J

Malware Config

Targets

    • Target

      ac58566b0816ed10555d42d221bf5c12a70754e33b76adaf38253786ce57fa71

    • Size

      424KB

    • MD5

      aa764c52771914cdfb3f246162ff407c

    • SHA1

      a05a64765f4809ab09d6c38eaa6cfe12e6a10905

    • SHA256

      ac58566b0816ed10555d42d221bf5c12a70754e33b76adaf38253786ce57fa71

    • SHA512

      c3b522ca6530220435fa027d17e905dbf7ad9991e9e65d07ddad0e8cb51f55e479f35d11f2e289beda3d2c24bc7aef8c583a2b13df93598e495a1e734e6e5146

    • SSDEEP

      6144:RtvAvgwGaWEWS7WjpCwhj8cuEMDTr8x3EsznmkVq78+OYxsy2v6qF8rbJVktqB5u:7AvgmWS7WjGcsX8Okdq78r9VFw7JT1J

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks