General

  • Target

    de25f56ee4c5e49b335eaaf228c8334ce3931209d0e9ddb9094ca653a09e38b0

  • Size

    476KB

  • Sample

    221127-r58vrsef63

  • MD5

    9c1991c324bada5e248004c2314fd083

  • SHA1

    88a8af3acd4801769acd1b7547e006c78853f627

  • SHA256

    de25f56ee4c5e49b335eaaf228c8334ce3931209d0e9ddb9094ca653a09e38b0

  • SHA512

    af708b55f1d9667c80cf2a4984a9308279b15e11eacaf73514f0420c8a2527c7c8e9eebb1483a40a7552d236d74d85748326075e57a674d61f24f744423c6a36

  • SSDEEP

    6144:XJbVv9AcmXpu5gYzSOxyLdb1lZ3dMpu3UW19PsOdgk5mQl/f1BkaT+UBk2r/f5:5vVKU61LdwuE6ULkEQiaT+aNr/B

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    2525
  • Username:
    serkankulio123@mail.ru
  • Password:
    Amoneycometome22

Targets

    • Target

      de25f56ee4c5e49b335eaaf228c8334ce3931209d0e9ddb9094ca653a09e38b0

    • Size

      476KB

    • MD5

      9c1991c324bada5e248004c2314fd083

    • SHA1

      88a8af3acd4801769acd1b7547e006c78853f627

    • SHA256

      de25f56ee4c5e49b335eaaf228c8334ce3931209d0e9ddb9094ca653a09e38b0

    • SHA512

      af708b55f1d9667c80cf2a4984a9308279b15e11eacaf73514f0420c8a2527c7c8e9eebb1483a40a7552d236d74d85748326075e57a674d61f24f744423c6a36

    • SSDEEP

      6144:XJbVv9AcmXpu5gYzSOxyLdb1lZ3dMpu3UW19PsOdgk5mQl/f1BkaT+UBk2r/f5:5vVKU61LdwuE6ULkEQiaT+aNr/B

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Modifies WinLogon for persistence

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks