Number of Package.xlsx

General
Target

Number of Package.xlsx

Size

718KB

Sample

210728-5xfvd617sx

Score
10 /10
MD5

a247cc8b5eb2f580aa454b3846c3ad36

SHA1

415bb2fdedf27176947e557ac969a09b9e9d035a

SHA256

db27960e5407802bd8416782c93898baf8c89e240348db47870ef55091195feb

SHA512

31f99e8545b8bc6254a498d590c6b79ded8bc7213f1f407652cfc6d36702b5c6bd5918add236d9d50085ccb8d97f0b6ca721e192aed06d4e0c0e3e606c4de4e8

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: bh-16.webhostbox.net

Port: 587

Username: whesilolog@miratechs.gq

Password: 7213575aceACE@#$

Targets
Target

Number of Package.xlsx

MD5

a247cc8b5eb2f580aa454b3846c3ad36

Filesize

718KB

Score
10 /10
SHA1

415bb2fdedf27176947e557ac969a09b9e9d035a

SHA256

db27960e5407802bd8416782c93898baf8c89e240348db47870ef55091195feb

SHA512

31f99e8545b8bc6254a498d590c6b79ded8bc7213f1f407652cfc6d36702b5c6bd5918add236d9d50085ccb8d97f0b6ca721e192aed06d4e0c0e3e606c4de4e8

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    1/10