General
-
Target
proforma-565468.js
-
Size
117KB
-
Sample
220919-jsn1tsfaf5
-
MD5
adcf65bb1e34b719258ca08dc0b8041f
-
SHA1
391c14e68f715031dbff5d70872f92280bdba47f
-
SHA256
a760f6d045295fd5795e26f029ede0eb40074dba7b5462f94e0b31fbdc399856
-
SHA512
1fde146f5bb8f1a38b3e4486b5b2510b233363f37193ee64d853bf152c6b6cb18d4349c1b1110dae1a6fbad0bd998cd6d64d0b62be3135c1fc175d7dc7405f91
-
SSDEEP
3072:Xwvo83p4aVZ8QXRoxt1uIlQ/LHXRRWKN8DRYEFaJsxinoam:Xwvo83+WYr1u6+LBV8DRf4vLm
Static task
static1
Behavioral task
behavioral1
Sample
proforma-565468.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
proforma-565468.js
Resource
win10v2004-20220812-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5413418879:AAGAIPfyTA90xoGpfgmho11YwulQ18wfiak/sendMessage?chat_id=1351581537
Targets
-
-
Target
proforma-565468.js
-
Size
117KB
-
MD5
adcf65bb1e34b719258ca08dc0b8041f
-
SHA1
391c14e68f715031dbff5d70872f92280bdba47f
-
SHA256
a760f6d045295fd5795e26f029ede0eb40074dba7b5462f94e0b31fbdc399856
-
SHA512
1fde146f5bb8f1a38b3e4486b5b2510b233363f37193ee64d853bf152c6b6cb18d4349c1b1110dae1a6fbad0bd998cd6d64d0b62be3135c1fc175d7dc7405f91
-
SSDEEP
3072:Xwvo83p4aVZ8QXRoxt1uIlQ/LHXRRWKN8DRYEFaJsxinoam:Xwvo83+WYr1u6+LBV8DRf4vLm
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-