product picture.xlsx

General
Target

product picture.xlsx

Size

629KB

Sample

210727-ck2wjz9v6x

Score
10 /10
MD5

a793904f9e649cdec7b2d27b7f6faf0d

SHA1

9a364e1755fbb8ed41ba9c34364e85255ff2d636

SHA256

1cfe05628f52cf99f5320c612e340abe35d30f56527d3949677b87716914d68d

SHA512

53d38acd0fa81b6a979b5777378453d1a8612591095de78f0763e080a20e283bf9c80aae3fc8956739f5dcede7b0f11d7c587118f6fab6f091fa82d27a431163

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: miratechs.gq

Port: 587

Username: arinzelog@miratechs.gq

Password: 7213575aceACE@#$

Targets
Target

product picture.xlsx

MD5

a793904f9e649cdec7b2d27b7f6faf0d

Filesize

629KB

Score
10 /10
SHA1

9a364e1755fbb8ed41ba9c34364e85255ff2d636

SHA256

1cfe05628f52cf99f5320c612e340abe35d30f56527d3949677b87716914d68d

SHA512

53d38acd0fa81b6a979b5777378453d1a8612591095de78f0763e080a20e283bf9c80aae3fc8956739f5dcede7b0f11d7c587118f6fab6f091fa82d27a431163

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    1/10