General
-
Target
Sample_50120351252_ISO_003725.xlsm
-
Size
389KB
-
Sample
211025-pzphtshaer
-
MD5
58dc9ccb8187fd0b6ed26246621ebdeb
-
SHA1
268d21fe1053699dfff242fdcd6aab78928cf25b
-
SHA256
35871beee11759b36f67871d767ef10465e73e588f266904c33aadc840923580
-
SHA512
4c0f65c45a9fc0bde2ac4024bcfcca6fe54aae9f5e172709f56b719437dbf639dea723f6d1416fead206b2327f67418a3248add36e52324ba45fceff375749f5
Malware Config
Extracted
http://18.159.149.5/nbl/joy/1-1/Sample_50120351252_ISO_003725.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
efinancet.shop - Port:
587 - Username:
magnet@efinancet.shop - Password:
BG##kz5dHzND
Targets
-
-
Target
Sample_50120351252_ISO_003725.xlsm
-
Size
389KB
-
MD5
58dc9ccb8187fd0b6ed26246621ebdeb
-
SHA1
268d21fe1053699dfff242fdcd6aab78928cf25b
-
SHA256
35871beee11759b36f67871d767ef10465e73e588f266904c33aadc840923580
-
SHA512
4c0f65c45a9fc0bde2ac4024bcfcca6fe54aae9f5e172709f56b719437dbf639dea723f6d1416fead206b2327f67418a3248add36e52324ba45fceff375749f5
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-