General

  • Target

    68ec85110d9754a5ddfe8a60cb62995da0b6ba33dc5c7519b006446ffa50b0aa

  • Size

    292KB

  • Sample

    240417-p6jk6ahf5x

  • MD5

    2e61eaad8d78873ecc4e91563ae87cc3

  • SHA1

    bc7162b761ac8a73283be3adcb179bc56d00b0ae

  • SHA256

    68ec85110d9754a5ddfe8a60cb62995da0b6ba33dc5c7519b006446ffa50b0aa

  • SHA512

    80bcb5fdce67d5be643cb15497cf4e98824af002ca96f017c3e02efbe07d79cb8b831273af779dc67da354dab62a1f9d4cb1749c344675c9b979ae209b5e2598

  • SSDEEP

    6144:gWEdhdmo0HtOEBNPsF/lG3tkR/lP+HmOOFJyFAkRJM0BT7YOm:gNd6o0NOEBBw/lktkxOl00+Om

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.lucd.ru
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    doll@@2020

Targets

    • Target

      746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc.exe

    • Size

      520KB

    • MD5

      42975e59f70448efb621c1f9c4bca01b

    • SHA1

      acd00215d93e8e81d32e10d0a88127da4133c1da

    • SHA256

      746d8f96f8153a4e45bb998ec885c82ffa1b4aaa18eb1381db2a2ed851e876cc

    • SHA512

      312ef962115a65a13459702995c6b71363238658a4fe2bbf1075bc5333aff03eafdae83999a6789cff9ee1c3a0bcdcea1c37ad18629a60eef2ce21587440afcc

    • SSDEEP

      6144:uuaqLk33bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9v:y33QtqB5urTIoYWBQk1E+VF9mOx9Vi

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks