General
-
Target
43e66c483be9cbb9f35ce7f57bf255925abd25a8fc40b80d79bf0cd2a3f54af9.zip
-
Size
845KB
-
Sample
240402-q7mvmscc5s
-
MD5
f54418d73c6f0c92e0f2a37cff240024
-
SHA1
b8571a5ce430380bf050cc6f5b3e26c7d8143c1c
-
SHA256
36b527e92b47a5d30b7874eb82ad9f07c656fa61f2f860ea8e0bd2f02fc732d6
-
SHA512
3d5aaede4a1948f4de7bac4936836f8c236090a2bb9308a20ab9b71809a9889033f6a18e9509e8965e71cdb8d9fcee0f5d39250a18cd9db49967d46a71d1f2bf
-
SSDEEP
24576:WmQ1JLy4RJLEhNhMaxbz9jI3eMrF9ewI0y:7AXRJLEh8abRjIB5I
Malware Config
Extracted
Protocol: ftp- Host:
ftp.lucd.ru - Port:
21 - Username:
[email protected] - Password:
obum@911
Targets
-
-
Target
43e66c483be9cbb9f35ce7f57bf255925abd25a8fc40b80d79bf0cd2a3f54af9.exe
-
Size
1.2MB
-
MD5
eea1fbd22436e2b085fa5fcc55ea052e
-
SHA1
76f7c18a39a48b86dda253eaa146fd6e1aa5df89
-
SHA256
43e66c483be9cbb9f35ce7f57bf255925abd25a8fc40b80d79bf0cd2a3f54af9
-
SHA512
3f9d3756e4e5f0bc1841a3fbfffd12fdd52708bb97db36b01dbb96b34946944e42297d9eb6e871f4ba5d653771118035eb7fc88f948e806911916409fc1bbdbe
-
SSDEEP
24576:/j0pZcKDySR/Pxt8eD8dSevyifwZpNZ0C:L0zOu/JtR8HvyuSeC
Score10/10-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-