General
-
Target
Jvhmoaft.exe
-
Size
39KB
-
Sample
220325-vtp53afdbq
-
MD5
f9042a40439be42c2cfa8c383d87187c
-
SHA1
1f86fbb29ae56ed28b158205976dfe9d51f8ff17
-
SHA256
de548a7533d3aa11d7a2206cc903d09d4475fdb6f1e33f3c567573600e691574
-
SHA512
f045c94a6258bbf97ec0e1ff11fffad8dd169c575c87310241f264a56765a0732a4d8fd5c869a629b58f4a7f4184e11c03ce590281a08fee9494fb0e6c050cf3
Static task
static1
Behavioral task
behavioral1
Sample
Jvhmoaft.exe
Resource
win7-20220311-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/sendMessage?chat_id=1376739206
Extracted
xloader
2.5
ssac
beautybybrin.com
oregemo.com
prospectoriq.com
blazermid.com
cloudnineloans.com
myyntisofta.com
filoupoils.com
web-solutiontnpasumo3.xyz
becbares.com
lines-hikkoshi.com
ohayouwww.com
writingdadsobituarywithdad.com
bridalbaes.com
jamshir.com
rangertots.com
dankbrobeans.com
titan111.com
uplearns.info
maxicashprokil.xyz
evc24.com
mingshan888.com
thehomefurnishings.com
jjyive.space
vtkk.info
state-attorney.online
zoho.systems
nd300.com
ivermectinforanimals.ca
gruppobenedetto.com
planet99angka.xyz
astrotiq.com
fangshensj.com
ocean.limited
zalaridumpf.quest
cursolibreonline.com
lifein.art
identspactures.com
nfltvgo.com
chronicfit.store
mariajosereina.com
hebbz764776341.com
anpxlmmspix.mobi
mydevhub.tech
nobelrealm.com
dentalteamny.com
patinerd.com
socratisbey.xyz
hnylcwfs.com
yujieqin.com
midorato.com
sunglowdragon.com
americaplr.com
cxqdscape.com
situsgacor.xyz
sattlerei-dortmund.com
life120lospaccio.com
riddleme.one
perpustakaan-geominerba.online
renatafaceandbodyskincare.com
allkoreas.com
myvisitiq.com
candlesallday.com
poleador.com
4hsp116.com
homesbyvw.com
Targets
-
-
Target
Jvhmoaft.exe
-
Size
39KB
-
MD5
f9042a40439be42c2cfa8c383d87187c
-
SHA1
1f86fbb29ae56ed28b158205976dfe9d51f8ff17
-
SHA256
de548a7533d3aa11d7a2206cc903d09d4475fdb6f1e33f3c567573600e691574
-
SHA512
f045c94a6258bbf97ec0e1ff11fffad8dd169c575c87310241f264a56765a0732a4d8fd5c869a629b58f4a7f4184e11c03ce590281a08fee9494fb0e6c050cf3
-
Snake Keylogger Payload
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-