General
-
Target
PRICE OFFER_01321.exe
-
Size
699KB
-
Sample
220705-n7fp8aagf6
-
MD5
c4e2b85e0285bd6fc888c326a4724ba8
-
SHA1
27629d34786f67e20c31e4ab3ee88276fc8e51a4
-
SHA256
6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423
-
SHA512
3038e1a9242a7a94acb083aee37b1d874682181f01cc63b029146b709555c269d3e93fabd40ce22fa2cdb9f65e45be3540646991408ee13ecf6e2f74855b075e
Static task
static1
Behavioral task
behavioral1
Sample
PRICE OFFER_01321.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PRICE OFFER_01321.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.anatolia-mountains.com - Port:
587 - Username:
h.alhaj@anatolia-mountains.com - Password:
Anatolia3? - Email To:
jevi.jrk@gmail.com
https://api.telegram.org/bot5340115384:AAFLNLUoDjoCsDoiMMlkY81rG-_Kb9LOEBc/sendMessage?chat_id=5316464344
Targets
-
-
Target
PRICE OFFER_01321.exe
-
Size
699KB
-
MD5
c4e2b85e0285bd6fc888c326a4724ba8
-
SHA1
27629d34786f67e20c31e4ab3ee88276fc8e51a4
-
SHA256
6fccc54b1735e68508ccfdad83f18a26226257c153b714d8cff7d0cffe905423
-
SHA512
3038e1a9242a7a94acb083aee37b1d874682181f01cc63b029146b709555c269d3e93fabd40ce22fa2cdb9f65e45be3540646991408ee13ecf6e2f74855b075e
-
Snake Keylogger Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-