General
-
Target
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
Size
1008KB
-
Sample
221128-mb7cmafb37
-
MD5
3a4ab7084fe967a029f3c54ab7f9cf52
-
SHA1
648827cb4d63421ff5fbc6dd04282dc11ca6ca99
-
SHA256
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
SHA512
12f6a31615919c0fc4b949f529114c65fe8d7e6c14a3ede82e9e4e8b5fa5ac40808fd863e249caa580210d657396f5e13f1bac44c8c30b3cef4c81b57e7c6ff1
-
SSDEEP
12288:yfX3sAdDa1oLJNoKwQS9/Vh1IJcXWyPiKFdZJP3t+vlYvhDPlIrvtgpxVcvuS94U:gyo1N6VkJhyPDl3zPlIvnvuxHHGdH
Malware Config
Targets
-
-
Target
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
Size
1008KB
-
MD5
3a4ab7084fe967a029f3c54ab7f9cf52
-
SHA1
648827cb4d63421ff5fbc6dd04282dc11ca6ca99
-
SHA256
4cace28eddc52ee96da50475956e9092200dbd103a8a55761e5c61e85843021e
-
SHA512
12f6a31615919c0fc4b949f529114c65fe8d7e6c14a3ede82e9e4e8b5fa5ac40808fd863e249caa580210d657396f5e13f1bac44c8c30b3cef4c81b57e7c6ff1
-
SSDEEP
12288:yfX3sAdDa1oLJNoKwQS9/Vh1IJcXWyPiKFdZJP3t+vlYvhDPlIrvtgpxVcvuS94U:gyo1N6VkJhyPDl3zPlIvnvuxHHGdH
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-