General
-
Target
4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls
-
Size
118KB
-
Sample
210624-58mrk793ba
-
MD5
4214df1ddc5e781bd44ae657284476b9
-
SHA1
4c6e2dca5d80b3c2c6191266e3a07e5d668752d2
-
SHA256
bd91083ce01f04c11111c5c33b76552125e1961efbbe15010b1de43349a08843
-
SHA512
00d945cf9d210c3b251351d6c6afd6ef9e50b873fe2f2e8da99cb41a79370a7ea7b02131ab4b081a332f732fb647484fd45cb988a0acd46195dac09db93c63a5
Static task
static1
Behavioral task
behavioral1
Sample
4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls
Resource
win7v20210408
Malware Config
Extracted
http://212.192.241.94/news/IMG_1081007003xls.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
nobettwo.xyz - Port:
587 - Username:
saturn1@nobettwo.xyz - Password:
O^1)7]oEv=*a
Targets
-
-
Target
4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls
-
Size
118KB
-
MD5
4214df1ddc5e781bd44ae657284476b9
-
SHA1
4c6e2dca5d80b3c2c6191266e3a07e5d668752d2
-
SHA256
bd91083ce01f04c11111c5c33b76552125e1961efbbe15010b1de43349a08843
-
SHA512
00d945cf9d210c3b251351d6c6afd6ef9e50b873fe2f2e8da99cb41a79370a7ea7b02131ab4b081a332f732fb647484fd45cb988a0acd46195dac09db93c63a5
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-