General

  • Target

    Purchase List Xls.exe

  • Size

    1.1MB

  • Sample

    230921-vts7qabe73

  • MD5

    cd8fc2c274368e1343bf8d74c32fa24e

  • SHA1

    535ec18e4fbc9895e3941c396ede59e5d2b8925e

  • SHA256

    f2090573cb87041990365a6fec8532cdc4f1cd9928a1aae37e06d0f1f8a5e9d5

  • SHA512

    0a5c0a46ed84a160e670d0f1decfbde20db2f05c644fdbc0a57e229af57f10be2e4cd5f691ad2dab0dfeed0723424d4ad120e13b25043ea9a9716f712196cb9a

  • SSDEEP

    24576:JCUdkXSFsDBEPaZ03lqSlwvtvl3yd2OluON4fA9uC:sUGJD6PaO1qSlstvl3yd2OluON4fA9u

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.lucd.shop
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @lucd.shop

Targets

    • Target

      Purchase List Xls.exe

    • Size

      1.1MB

    • MD5

      cd8fc2c274368e1343bf8d74c32fa24e

    • SHA1

      535ec18e4fbc9895e3941c396ede59e5d2b8925e

    • SHA256

      f2090573cb87041990365a6fec8532cdc4f1cd9928a1aae37e06d0f1f8a5e9d5

    • SHA512

      0a5c0a46ed84a160e670d0f1decfbde20db2f05c644fdbc0a57e229af57f10be2e4cd5f691ad2dab0dfeed0723424d4ad120e13b25043ea9a9716f712196cb9a

    • SSDEEP

      24576:JCUdkXSFsDBEPaZ03lqSlwvtvl3yd2OluON4fA9uC:sUGJD6PaO1qSlstvl3yd2OluON4fA9u

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Looks for VirtualBox Guest Additions in registry

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks