TRACKING NUMBER.doc

General
Target

TRACKING NUMBER.doc

Size

63KB

Sample

210728-vqcgj9k1ax

Score
10 /10
MD5

85f32390c19a033a1d2569863469a615

SHA1

81689cd34e0ad021432bd0db43f5313cf0189705

SHA256

7fb33351d6ef6a9ae6f3c953b3c45743281217ed32c7fe8ef8d9f06161589e7d

SHA512

34ae29f2bcce0f213e76f92e298ad875180a5683ada3dd45d6ad2078a060e74a6ab3573be1268ef1d10e90c7d8d0614f226c77bc5f60f42aa7f2d8a5d24556e7

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: bh-16.webhostbox.net

Port: 587

Username: whesilolog@miratechs.gq

Password: 7213575aceACE@#$

Targets
Target

TRACKING NUMBER.doc

MD5

85f32390c19a033a1d2569863469a615

Filesize

63KB

Score
10 /10
SHA1

81689cd34e0ad021432bd0db43f5313cf0189705

SHA256

7fb33351d6ef6a9ae6f3c953b3c45743281217ed32c7fe8ef8d9f06161589e7d

SHA512

34ae29f2bcce0f213e76f92e298ad875180a5683ada3dd45d6ad2078a060e74a6ab3573be1268ef1d10e90c7d8d0614f226c77bc5f60f42aa7f2d8a5d24556e7

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    1/10