General
-
Target
7jhjjhjhjhhggftftftftftftf.doc
-
Size
19KB
-
Sample
221003-mx52pacfd7
-
MD5
1a85abd5b723d16b82cfa01d0cbd45f9
-
SHA1
e4deeebd8838fde6a32977f2c3ad432dea837a29
-
SHA256
4d908fe1a46f757857993e8489529b15527e6ba7c8f8e1083c27edf8ab723ac9
-
SHA512
8fa7675b25c7ae9d68f9f1bbb469140a92915ed7b24a7c6686b351e80ff3aaaa79e236b08b6b0677ec368bd06fc9b6376a4452009dfa9869a4982ca74c8c6f5d
-
SSDEEP
384:4bG+GPodmmItClwgZhinWAvKdfCSHvAm5Xb6wf/:4bG+mcUQlwgZhinWASQSHawf/
Static task
static1
Behavioral task
behavioral1
Sample
7jhjjhjhjhhggftftftftftftf.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7jhjjhjhjhhggftftftftftftf.rtf
Resource
win10v2004-20220812-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
feritkalafatoglu@frem-tr.com - Password:
LYSV$*b4 - Email To:
feritkalafatoglu@frem-tr.com
Targets
-
-
Target
7jhjjhjhjhhggftftftftftftf.doc
-
Size
19KB
-
MD5
1a85abd5b723d16b82cfa01d0cbd45f9
-
SHA1
e4deeebd8838fde6a32977f2c3ad432dea837a29
-
SHA256
4d908fe1a46f757857993e8489529b15527e6ba7c8f8e1083c27edf8ab723ac9
-
SHA512
8fa7675b25c7ae9d68f9f1bbb469140a92915ed7b24a7c6686b351e80ff3aaaa79e236b08b6b0677ec368bd06fc9b6376a4452009dfa9869a4982ca74c8c6f5d
-
SSDEEP
384:4bG+GPodmmItClwgZhinWAvKdfCSHvAm5Xb6wf/:4bG+mcUQlwgZhinWASQSHawf/
Score10/10-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-