General
-
Target
STATIONERY MATERIALS-ORDER SUPPLEMENT.r00
-
Size
434KB
-
Sample
210727-svml73wedx
-
MD5
bf5debdb19350b5beb73576e30398a55
-
SHA1
1f80881a755bd14742d3572c488c87f5b421f451
-
SHA256
beba1b53cc5aed5341b78c6011cf16136218faa25d0a5ae6b9e2e3ce952f0d78
-
SHA512
c85fb8ca493d303b2f3de214c655462b5443c4e52d6845f0c51eb430ffbf2a076be725b46a83db0f2943556992d5624747a18f1f726f5bb1f25341bfa573a5fe
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ademkocplastik.com.tr - Port:
587 - Username:
ihracat@ademkocplastik.com.tr - Password:
Ad1.iqwerty?_
Targets
-
-
Target
STATIONERY MATERIALS-ORDER SUPPLEMENT.exe
-
Size
574KB
-
MD5
334c0820434d474ffc6d7347f8c27697
-
SHA1
f0af5e6bb35f3b10f26386f4ad77db78ed0b4a72
-
SHA256
1aa71ccdef644e05966553af027e6434454c8e76a1e04522a7ad2da789d8f248
-
SHA512
8deaec055e232565d30de462082245d1d4967de1777e4d22d8969a017022da2479af029e37674c4a31d6aee1961e9b00f69808c6cf0d7a0f150a474ee2ff5d64
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-