Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NO#CU-92504 Xls.exe

windows7-x64

10

NO#CU-92504 Xls.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NO#CU-92504 Xls_1.lzh

  • Size

    794KB

  • Sample

    231012-jqttashc44

  • MD5

    2aa400b2159fa6a0dc2aa66e76baa7ac

  • SHA1

    1029f0872d8ffaf7846baf99f0e525f44db88d44

  • SHA256

    c7448faf4e8737ed7260e0c0d48c56ba74b54e558805b869d28902d0b5a911eb

  • SHA512

    99b0db7d40bcfd6565a06cdac33536b1ef72bcd7adc607c56e2f6c878e1bdf892cbe8fc1b6f76fa361a7948a74394774414fba6bbf53f65e76d0ee0655eb592f

  • SSDEEP

    24576:WRsj/7VWBt1ejCbntRCnZZbuTdTeaIq+H4xXL:B/ctQjCbnuPShTrINYx7

Score
10/10
hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.lucd.shop
  • Port:
    587
  • Username:
    hwk@lucd.shop
  • Password:
    @lucd.shop

Targets

    • Target

      NO#CU-92504 Xls.exe

    • Size

      1.1MB

    • MD5

      59d184058f8e0a314db11d6f07f600fd

    • SHA1

      5e4b55295fd2b4cc5965fa1e8b322260c5d2a2b6

    • SHA256

      65df886edbea1a5bc833dba4e8e5126ad6326fa44f49e146a9c4b8b34fe75333

    • SHA512

      94adda18b842f927693d6831becbb10c249867c466cb3f2659dc1def9ae05024c7d8cf8a4567fc19f5a1c67495a7994010e1e3e3b3f7784f55f8f7916e190d8c

    • SSDEEP

      24576:mZRToVSu+nsc24YQeP18a5v8UKyd0c7u3yd2OluON4fA9uC:mZRToAu+ns082evFbdLu3yd2OluON4ff

    Score
    10/10
    hawkeyecollectionevasionkeyloggerpersistencespywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.