General
-
Target
2d1cb79740ad3c65afdc693f5d5bc31c425d88a33bcd2d4f6d8044231b1427eb
-
Size
654KB
-
Sample
230510-rxmbssge78
-
MD5
eef5220a2f4e2271672abc644e563e45
-
SHA1
cb551ad223063517d67e18622044b406ef40c9d3
-
SHA256
2d1cb79740ad3c65afdc693f5d5bc31c425d88a33bcd2d4f6d8044231b1427eb
-
SHA512
6154d678cd118677b0d54d33bd31fcad397cc650f443c438c5cdf4e9a0a5a210a006cbe61ce7fdedad381eded57c8fe25a2c34fe1a9bef3e97f657c9738b5eb0
-
SSDEEP
12288:gXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:gXQnnYsNHXR9NlgobVcUK7UXrj++
Malware Config
Extracted
Protocol: smtp- Host:
mail.tcci.org.sa - Port:
587 - Username:
fahad.s@tcci.org.sa - Password:
Brown3044
Targets
-
-
Target
2d1cb79740ad3c65afdc693f5d5bc31c425d88a33bcd2d4f6d8044231b1427eb
-
Size
654KB
-
MD5
eef5220a2f4e2271672abc644e563e45
-
SHA1
cb551ad223063517d67e18622044b406ef40c9d3
-
SHA256
2d1cb79740ad3c65afdc693f5d5bc31c425d88a33bcd2d4f6d8044231b1427eb
-
SHA512
6154d678cd118677b0d54d33bd31fcad397cc650f443c438c5cdf4e9a0a5a210a006cbe61ce7fdedad381eded57c8fe25a2c34fe1a9bef3e97f657c9738b5eb0
-
SSDEEP
12288:gXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:gXQnnYsNHXR9NlgobVcUK7UXrj++
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-