General

  • Target

    11674566496.zip

  • Size

    569KB

  • Sample

    230830-hxxcbsad29

  • MD5

    783cae686cadb206eb0d2f56b21cda33

  • SHA1

    20066ba2cd836f20368844f5aec923ab4dcf2534

  • SHA256

    26bad25289defb0340ab061b79a2bb9130ef3cdf7630c670e9b5eb75165651b1

  • SHA512

    11a12b8b57741a763bd5f52aa7e25392e1aeb00c2b7e2760db18cc20d549d47ded55b30a992c882ba1215a4f3313ab674ce82171d8e46e9b5068b54a0eb0475d

  • SSDEEP

    12288:IWEJWgvpn6ZZxeZFXalFIzropW3P/xaJM2Fn/I/HigF:hGILxeZFXal0WWwMqnACY

Malware Config

Targets

    • Target

      e63b24adf9119f7d500167a62d62d3b8a35f4694f8488fc764523fd322fb2dce

    • Size

      612KB

    • MD5

      8ce71e40eda2d9304c1e127c60500e0c

    • SHA1

      93ef97529dcaa047d023456103827b6f97345caf

    • SHA256

      e63b24adf9119f7d500167a62d62d3b8a35f4694f8488fc764523fd322fb2dce

    • SHA512

      12c8386596d215cf56e6e14db5e14cce8b65a90c028f75abcce5169c0830f505bb82473232e58b1cf53b17375cc4f1c0054702ed7920033658f3fe327cb1a8e8

    • SSDEEP

      12288:2C9nooXEOly/1vzgvTYKCT0T9Cg4bRWCc9OY9uF/:2Caf1790T90ICc9fw

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Modifies WinLogon for persistence

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Discovery

System Information Discovery

1
T1082

Tasks