General
-
Target
Purchase Order.js
-
Size
543KB
-
Sample
220614-h8dz5acfbn
-
MD5
7455e47fd3e5f66fc5b6e1807ea0b568
-
SHA1
f4b3b59f3bc167f56fcf252f725a2b27d40a9de6
-
SHA256
5ca1451c5426fb3bb6e4394f5e52ee6651683e78aba996da2afd7c4077c8bd9b
-
SHA512
8488b277dcac7f1e3cc40b3fe292cf07bdbe441ea695afef5d594442bb6529eee40236b977e739613fd993a03d51038328dbe10dfb1958fe0586491f1209bda3
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861
Targets
-
-
Target
Purchase Order.js
-
Size
543KB
-
MD5
7455e47fd3e5f66fc5b6e1807ea0b568
-
SHA1
f4b3b59f3bc167f56fcf252f725a2b27d40a9de6
-
SHA256
5ca1451c5426fb3bb6e4394f5e52ee6651683e78aba996da2afd7c4077c8bd9b
-
SHA512
8488b277dcac7f1e3cc40b3fe292cf07bdbe441ea695afef5d594442bb6529eee40236b977e739613fd993a03d51038328dbe10dfb1958fe0586491f1209bda3
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-