General
-
Target
Order 5879024-00PO 4677PO 4678.docx
-
Size
10KB
-
Sample
221003-k2qfpahcgk
-
MD5
87d4fc7bfdbc5302d9c6986670f21b83
-
SHA1
a3cd5021fd0987fa1acdb9d3ef996f9930fae76c
-
SHA256
33dd6fafc72e99fd3b04543f51557c1fce75ad1af14deee757c561ccce208b75
-
SHA512
ea6ec2c36e9172ec969f210589fb3ce99029a4b9d047b049f134609bf8c7996d94d70d444e807480613d94a80e1a58d678302623c467a7936a0f5df60b588248
-
SSDEEP
192:ScIMmtPYqPC7UpG/bkpbJNOzGdrdlJFtGxV32RgDp:SPXgqPCfIJNOzEjJFtGxx2RI
Static task
static1
Behavioral task
behavioral1
Sample
Order 5879024-00PO 4677PO 4678.docx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Order 5879024-00PO 4677PO 4678.docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://document_doc@1806450061/uuUASDbjasduhuasduyuASHUDHUSADHUASDU/7jhjjhjhjhhggftftftftftftf.doc
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
feritkalafatoglu@frem-tr.com - Password:
LYSV$*b4 - Email To:
feritkalafatoglu@frem-tr.com
Targets
-
-
Target
Order 5879024-00PO 4677PO 4678.docx
-
Size
10KB
-
MD5
87d4fc7bfdbc5302d9c6986670f21b83
-
SHA1
a3cd5021fd0987fa1acdb9d3ef996f9930fae76c
-
SHA256
33dd6fafc72e99fd3b04543f51557c1fce75ad1af14deee757c561ccce208b75
-
SHA512
ea6ec2c36e9172ec969f210589fb3ce99029a4b9d047b049f134609bf8c7996d94d70d444e807480613d94a80e1a58d678302623c467a7936a0f5df60b588248
-
SSDEEP
192:ScIMmtPYqPC7UpG/bkpbJNOzGdrdlJFtGxV32RgDp:SPXgqPCfIJNOzEjJFtGxx2RI
Score10/10-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-