General
-
Target
Purchase Order From Hanon systems Ltd.doc
-
Size
1.2MB
-
Sample
210419-57z333bc86
-
MD5
d9a7f66522882d74a20738f1c3d2681f
-
SHA1
b5a13dea22b2da04d1147c292f1f8d8ac39d777d
-
SHA256
777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214
-
SHA512
74f5ea5ee011c243fed3d94f15382e51e09705ac890767e11954978e5b81d56c2f9d233fb59052d2828516dd50e919355a51af134179ad392bb14f6c43eac916
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order From Hanon systems Ltd.doc.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Purchase Order From Hanon systems Ltd.doc.rtf
Resource
win10v20210410
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
nobettwo.xyz - Port:
587 - Username:
[email protected] - Password:
O^1)7]oEv=*a
Targets
-
-
Target
Purchase Order From Hanon systems Ltd.doc
-
Size
1.2MB
-
MD5
d9a7f66522882d74a20738f1c3d2681f
-
SHA1
b5a13dea22b2da04d1147c292f1f8d8ac39d777d
-
SHA256
777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214
-
SHA512
74f5ea5ee011c243fed3d94f15382e51e09705ac890767e11954978e5b81d56c2f9d233fb59052d2828516dd50e919355a51af134179ad392bb14f6c43eac916
Score10/10-
Modifies WinLogon for persistence
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-