General
-
Target
Payment Slip ETL_050_6380247.doc
-
Size
824KB
-
Sample
210408-gjyt79hpya
-
MD5
a68f53e59383050cf5c0f92ac964dfb1
-
SHA1
43a1afe645d5f828b991785f2f9e8e9833063ed3
-
SHA256
8dead61d3783e37eef1dc2062acd13670f59da4f0dab124d533dd4d684b3ed60
-
SHA512
e67053a81a7a9c52c2fda7435b9cef4f52ad658cce1aedd95715f1d63ca0f9717e0eb8fbbc5b061d3f764f5388604841189907821366122d83f93266eaa76cc4
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip ETL_050_6380247.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment Slip ETL_050_6380247.doc
Resource
win10v20201028
Malware Config
Extracted
http://bit.ly/3uqfHTI
Extracted
snakekeylogger
Protocol: smtp- Host:
nobettwo.xyz - Port:
587 - Username:
bal@nobettwo.xyz - Password:
KvgnCIGBE8+H
Targets
-
-
Target
Payment Slip ETL_050_6380247.doc
-
Size
824KB
-
MD5
a68f53e59383050cf5c0f92ac964dfb1
-
SHA1
43a1afe645d5f828b991785f2f9e8e9833063ed3
-
SHA256
8dead61d3783e37eef1dc2062acd13670f59da4f0dab124d533dd4d684b3ed60
-
SHA512
e67053a81a7a9c52c2fda7435b9cef4f52ad658cce1aedd95715f1d63ca0f9717e0eb8fbbc5b061d3f764f5388604841189907821366122d83f93266eaa76cc4
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-