Overview

overview

10

Static

static

Copy_Of_Ba...ts.exe

windows7-x64

10

Copy_Of_Ba...ts.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6289aae97ac2f026a4b6171ae2df8dcea2310a20f0626f1ed68758c7ed55fc77

  • Size

    765KB

  • Sample

    221126-rdvh3ahd82

  • MD5

    c0d23ca1289e47fd1dc8f888412673a1

  • SHA1

    b4f493f4c8871f01d6f96902907100bf4ce39180

  • SHA256

    6289aae97ac2f026a4b6171ae2df8dcea2310a20f0626f1ed68758c7ed55fc77

  • SHA512

    227a850d8733c4914d764fe34a6ef1471a593e043fb7a49834a9b1fb62f9fa606947b893547a9fb20d251270cc7b5f1e9a19eb22b6155cee44832fd625afc884

  • SSDEEP

    12288:LNxKEs5iIlU9zfG4fpPiVVL8d5rV6nCFtYAtktkbQSYP8ZVps3CHhdgtWR76Twp:LNxbeiIq9z+4pPizL8dlV6nCzYMLCyF3

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.acsbaroda.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Admin1975*

Targets

    • Target

      Copy_Of_Balance_Payments.exe

    • Size

      856KB

    • MD5

      6796097989ff8aa921d83d2a3553bb21

    • SHA1

      ccd7805053b00b3e14b703517662a0036f95acbb

    • SHA256

      5f81c6852cc89916688dd380bf23185a1fcf2cd7fb5a93da32d22644ef0769c9

    • SHA512

      12262825e17afac04f28ff4eb986aaccf0f615f010fd9e8e043f423c65be64ad8a2508b9bce1da901e20d5770a97af447a384d5c9a76d162d19ba51a288747ae

    • SSDEEP

      24576:rEe1hYtljbiiIq9r+EpPinL6dTVUnCzoChg9:oeI/jvIq9v86dTVUnCzoCc

    Score
    10/10
    hawkeyecollectionkeyloggerspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks