Extracted

• • Target

    2nd Invoice.xlsx

  • Size

    137KB

  • MD5

    85f545db1c213dcf29928d6d8073a2ae

  • SHA1

    768d7f8e20f514c987b8e560c953b699c0ea14f6

  • SHA256

    c4371db5235bb4ec11938ec939028d39514219df1452cc7fbb5d004f57a103a1

  • SHA512

    ebc24074041b42ba85475b3edfe6b42965ef01fcd554fe7ac357767696f859f6a1e9483e7f9fefacd35e5d7e8e021e759dfc19aa4be4b131d9dcac01e421460d

  • SSDEEP

    3072:sqfbzI3VkS+wIqjRn+j/SQe1o+BCMAwGFUOgzD4:ZTzYVkOTRnCLe1o4CfGz8

  Score

  10^/10

  snakekeyloggerkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2