Overview

overview

10

Static

static

3

Purchase List Xls.exe

windows7-x64

1

Purchase List Xls.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase List Xls.exe

  • Size

    1.1MB

  • Sample

    231012-hsyplach51

  • MD5

    cd8fc2c274368e1343bf8d74c32fa24e

  • SHA1

    535ec18e4fbc9895e3941c396ede59e5d2b8925e

  • SHA256

    f2090573cb87041990365a6fec8532cdc4f1cd9928a1aae37e06d0f1f8a5e9d5

  • SHA512

    0a5c0a46ed84a160e670d0f1decfbde20db2f05c644fdbc0a57e229af57f10be2e4cd5f691ad2dab0dfeed0723424d4ad120e13b25043ea9a9716f712196cb9a

  • SSDEEP

    24576:JCUdkXSFsDBEPaZ03lqSlwvtvl3yd2OluON4fA9uC:sUGJD6PaO1qSlstvl3yd2OluON4fA9u

Score
10/10
hawkeyeevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      Purchase List Xls.exe

    • Size

      1.1MB

    • MD5

      cd8fc2c274368e1343bf8d74c32fa24e

    • SHA1

      535ec18e4fbc9895e3941c396ede59e5d2b8925e

    • SHA256

      f2090573cb87041990365a6fec8532cdc4f1cd9928a1aae37e06d0f1f8a5e9d5

    • SHA512

      0a5c0a46ed84a160e670d0f1decfbde20db2f05c644fdbc0a57e229af57f10be2e4cd5f691ad2dab0dfeed0723424d4ad120e13b25043ea9a9716f712196cb9a

    • SSDEEP

      24576:JCUdkXSFsDBEPaZ03lqSlwvtvl3yd2OluON4fA9uC:sUGJD6PaO1qSlstvl3yd2OluON4fA9u

    Score
    10/10
    hawkeyeevasionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks