DOC_scan10002.doc

General
Target

DOC_scan10002.doc

Size

62KB

Sample

210727-81x38yv996

Score
10 /10
MD5

a79887f6a16088002da8171f306e1c35

SHA1

61f8ebea354416303d5904f625255c8381852a2e

SHA256

e6208325c155b89a626654ffbf06de21ef809ba583c9742952f006326fce8493

SHA512

8fd416b2d297715dc07bee2e1c517c7f19445da4fd3a2ed5ef3500d79d5e39b74d7d5b82009c61c1e144fef797d9e94dce30c9460958a08ef3afd8e9e4493c15

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: mail.bundabergtrophies.com.au

Port: 587

Username: admin@bundabergtrophies.com.au

Password: nKlnBbMZLI

Targets
Target

DOC_scan10002.doc

MD5

a79887f6a16088002da8171f306e1c35

Filesize

62KB

Score
10 /10
SHA1

61f8ebea354416303d5904f625255c8381852a2e

SHA256

e6208325c155b89a626654ffbf06de21ef809ba583c9742952f006326fce8493

SHA512

8fd416b2d297715dc07bee2e1c517c7f19445da4fd3a2ed5ef3500d79d5e39b74d7d5b82009c61c1e144fef797d9e94dce30c9460958a08ef3afd8e9e4493c15

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    1/10