General
-
Target
Order.doc
-
Size
26KB
-
Sample
230125-lyxw2aff53
-
MD5
d7b4ead6fc37ef7315c0118f8039e5fd
-
SHA1
70c4b99344efebdfd15c84543a73387e051d9c6e
-
SHA256
390638174e786d6f8debc631dcd06acf8e06fe5a80f9dbb6cad409794bf70ff0
-
SHA512
398e8627329f6cd74279e6b2c8f07aec58a522804b8177523c6a8ee259710067de2d8bd4d9f166122dd748727bb5938c4af7c43176aa2b133e9617edd80dc255
-
SSDEEP
384:qQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZgNAStY8hAtGMHM62bIhRohX9s:mFx0XaIsnPRIa4fwJMn8CtGP62E29s
Static task
static1
Behavioral task
behavioral1
Sample
Order.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Order.rtf
Resource
win10v2004-20220901-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
wealthlog@gthltd.buzz - Password:
7213575aceACE@#$ - Email To:
wealth@gthltd.buzz
Targets
-
-
Target
Order.doc
-
Size
26KB
-
MD5
d7b4ead6fc37ef7315c0118f8039e5fd
-
SHA1
70c4b99344efebdfd15c84543a73387e051d9c6e
-
SHA256
390638174e786d6f8debc631dcd06acf8e06fe5a80f9dbb6cad409794bf70ff0
-
SHA512
398e8627329f6cd74279e6b2c8f07aec58a522804b8177523c6a8ee259710067de2d8bd4d9f166122dd748727bb5938c4af7c43176aa2b133e9617edd80dc255
-
SSDEEP
384:qQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZgNAStY8hAtGMHM62bIhRohX9s:mFx0XaIsnPRIa4fwJMn8CtGP62E29s
Score10/10-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-