General
-
Target
Sample_03018200_ISO_03512328.xlsm
-
Size
389KB
-
Sample
211025-pzphtsgbe7
-
MD5
02c95603229648cdcc202dbfcb0986d1
-
SHA1
3e54ebf74799844c8de1922c5cd4b60f1d8c0340
-
SHA256
54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54
-
SHA512
5c714532a453ace9c32662acbe9872a670946ef3bca244226f48d882737424a3c9561b11f2ad8b9241c64ed1d48f007b60423043b7c973df80767715f9e9b3ee
Static task
static1
Behavioral task
behavioral1
Sample
Sample_03018200_ISO_03512328.xlsm
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Sample_03018200_ISO_03512328.xlsm
Resource
win10-en-20211014
Malware Config
Extracted
http://18.159.149.5/nbl/joy/1-1/Sample_03018200_ISO_03512328.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
efinancet.shop - Port:
587 - Username:
mortgage@efinancet.shop - Password:
SU^QlsaPg%E#
Targets
-
-
Target
Sample_03018200_ISO_03512328.xlsm
-
Size
389KB
-
MD5
02c95603229648cdcc202dbfcb0986d1
-
SHA1
3e54ebf74799844c8de1922c5cd4b60f1d8c0340
-
SHA256
54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54
-
SHA512
5c714532a453ace9c32662acbe9872a670946ef3bca244226f48d882737424a3c9561b11f2ad8b9241c64ed1d48f007b60423043b7c973df80767715f9e9b3ee
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-