General
-
Target
Attachments.zip
-
Size
16KB
-
Sample
221125-hm3rcscg2t
-
MD5
e74c17b470802605c2e9eb5a95983a60
-
SHA1
df0c8f609ba261d02207588fb3f9296f2d48a5e5
-
SHA256
13ab1548927d26b318b1fb95b164463e67a8032c9fa2da5a7d8d11192060ed23
-
SHA512
649785afdc1b7b1b91824d654fecb09d6387fa697d648823fb73331da681872c6d4a111352b7e86ad22ff18570881594cdebae6ff61fddc2d563e7aa22c6ccd5
-
SSDEEP
384:qiEZDfEDIGqKaYgGAObcNKelJX4oLPiwMoUozH9b3N6bl62QA:q9ZDCVNACcZlJIoLPfMVG9F2QA
Static task
static1
Behavioral task
behavioral1
Sample
PROFORM INVOICE.rtf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PROFORM INVOICE.rtf
Resource
win10v2004-20221111-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Targets
-
-
Target
PROFORM INVOICE.doc
-
Size
29KB
-
MD5
aae5ca317fd665d6268e280f8bba0743
-
SHA1
0f2c76c0dce2372e23492cab798f58cc790984c1
-
SHA256
208265dfde00b33e04cf83a295608b2f507885125ce179ef771f38bff89136c7
-
SHA512
4412ab3295d5d88056ad9cebef55f26a930dab2688c8ef7ec59ca270f93a5c0e4612bdd7c4175c1378b0fd1de226d8f1e22390323c24186bcb7797a4e2171872
-
SSDEEP
768:6Fx0XaIsnPRIa4fwJM50zgpdBnREVUHtfkvL:6f0Xvx3EMKzgHB2VUNfkD
Score10/10-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-