Overview

overview

10

Static

static

5

50ddb0762f...79.exe

windows7-x64

10

50ddb0762f...79.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50ddb0762fcd661f619cecdd9f62cb62ee1de9e63532d0a1d17e452dda709779

  • Size

    1.5MB

  • Sample

    221128-ttxdpsge46

  • MD5

    0ac6e0bfcc378bfa3b6f2e8688058c62

  • SHA1

    80f1722091176c7dae5c8370a6b790fc32db0d2a

  • SHA256

    50ddb0762fcd661f619cecdd9f62cb62ee1de9e63532d0a1d17e452dda709779

  • SHA512

    578e22e99143c6994c3c088f5d7ad8781f2d82525df9e0896f8864291a0e79df26a5db9f304f01a38da52370e1701bb55c73ddb3b30bb39819d1376b9ed0eb47

  • SSDEEP

    49152:wkwkn9IMHeayh5KyMLX61Gc4GztGdLBiZaPCS:LdnV0hML6UzGztGdjPC

Score
10/10
hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    mthcontrast.dk@gmail.com
  • Password:
    kelechi1

Targets

    • Target

      50ddb0762fcd661f619cecdd9f62cb62ee1de9e63532d0a1d17e452dda709779

    • Size

      1.5MB

    • MD5

      0ac6e0bfcc378bfa3b6f2e8688058c62

    • SHA1

      80f1722091176c7dae5c8370a6b790fc32db0d2a

    • SHA256

      50ddb0762fcd661f619cecdd9f62cb62ee1de9e63532d0a1d17e452dda709779

    • SHA512

      578e22e99143c6994c3c088f5d7ad8781f2d82525df9e0896f8864291a0e79df26a5db9f304f01a38da52370e1701bb55c73ddb3b30bb39819d1376b9ed0eb47

    • SSDEEP

      49152:wkwkn9IMHeayh5KyMLX61Gc4GztGdLBiZaPCS:LdnV0hML6UzGztGdjPC

    Score
    10/10
    hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • UAC bypass

      evasiontrojan

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks