General
-
Target
AWB15062022.js
-
Size
512KB
-
Sample
220616-hel4msfcbl
-
MD5
7e151e208de35b5a41db278b3cf0c5b3
-
SHA1
65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b
-
SHA256
c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534
-
SHA512
04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4
Static task
static1
Behavioral task
behavioral1
Sample
AWB15062022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB15062022.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861
Targets
-
-
Target
AWB15062022.js
-
Size
512KB
-
MD5
7e151e208de35b5a41db278b3cf0c5b3
-
SHA1
65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b
-
SHA256
c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534
-
SHA512
04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-