General
-
Target
ORDER 124 L130522ACH-OR.xlsx
-
Size
146KB
-
Sample
221012-p4mj2adeb7
-
MD5
3e483578d0affa36177b36563cb6cf24
-
SHA1
57540bd76bec3693f57feb0ad568ecfecf63ff91
-
SHA256
df02ae954e84599b683ef8c72a465342e6fefc0eb666a7b52b30d99de35e1b44
-
SHA512
4483349abd10bd90677f6f5c3feb43162a04506ea3559ece11de2235590199da344978941c66115141fdcfa4f9ead0c992da80c751fd1422f11c9a5b734d7274
-
SSDEEP
3072:lEozM8o9FfN95/fpLL3O9JfZNJwiFRz5GMqrVRlZk8GiqHshKj:1Q9FfN9JfJ7O/Bvj9C8inhQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
ocajNBT6 - Email To:
[email protected]
Targets
-
-
Target
ORDER 124 L130522ACH-OR.xlsx
-
Size
146KB
-
MD5
3e483578d0affa36177b36563cb6cf24
-
SHA1
57540bd76bec3693f57feb0ad568ecfecf63ff91
-
SHA256
df02ae954e84599b683ef8c72a465342e6fefc0eb666a7b52b30d99de35e1b44
-
SHA512
4483349abd10bd90677f6f5c3feb43162a04506ea3559ece11de2235590199da344978941c66115141fdcfa4f9ead0c992da80c751fd1422f11c9a5b734d7274
-
SSDEEP
3072:lEozM8o9FfN95/fpLL3O9JfZNJwiFRz5GMqrVRlZk8GiqHshKj:1Q9FfN9JfJ7O/Bvj9C8inhQ
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-