General
-
Target
Maersk Shipping Docs.zip
-
Size
6.1MB
-
Sample
230201-vjf5eacg4s
-
MD5
71c7487cccd9a60dc5ae335e399ca158
-
SHA1
38799f58328ccbabbde2f826c74e24071463f6c0
-
SHA256
c99b050645ebbc138018a9dcb4c3029bc1a9aa9376e7541c1011e815942948e1
-
SHA512
61f84850a88042a285b282670dca0764dfa76a58143871d0ff254ed15ee680fdaa530c6542659095b2fcbed842625947849cea4d335d8afd83ff0593907eb418
-
SSDEEP
98304:YDsYOrY3naAYoGZbdJ6OWcRRAyJujgOophvO4PMB59Rr:VMTXGZbd1LRAyegOoHvO4+5T
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5801425382:AAG5b4PUEaqNDv5uP9ejZGeIHeuzzOD4IHY/sendMessage?chat_id=5812329204
https://api.telegram.org/bot5839027687:AAGrC4UWgd0JQxMHOf1dCehA-oSrYF_Bez8/sendMessage?chat_id=1094077450
Extracted
remcos
RemoteHost
51.75.209.245:2406
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52YOYG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
NEW REM STUB
onyem.duckdns.org:5050
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-HFP2Q6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
http://172.174.176.153/dll/NoStartUp.ppam
Targets
-
-
Target
0014c57bfd62d2929bbad91d67b77c3b.bin
-
Size
152KB
-
MD5
0014c57bfd62d2929bbad91d67b77c3b
-
SHA1
769f34b854bdd2a4eeb7d09f9bbe9177beae0ad4
-
SHA256
c406f839b93838e2a8a4d1b0fd0b2b498576bc947ea71f0786d6f16a6b98b945
-
SHA512
1e8ad11bd0b50de61c25623b79f6b2ccbe1e857f9172df86122cd0a94c472a1b32fc738e9389e491523e8520b0a5db844e039ae520791576869803a3fa351797
-
SSDEEP
1536:SAgzEJRCRjTZ13uJjuBYHj0I+vBUFrlYYLDkrwsDQau8IzR+MFq9eQbb/UUcGSiL:SAgAEzoHj/LDdJwb8UcGSQwBj2iFbY
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
660e3fcc23c3a833e6e8af22b13ebd81
-
Size
172KB
-
MD5
660e3fcc23c3a833e6e8af22b13ebd81
-
SHA1
3966263baa4e4e511fe383910555ef5ceaa40914
-
SHA256
0ea47499aa08a0ed53a42fd19259cb677b4f87446f7fa7609b650f18d327de72
-
SHA512
bd6a1f83620d13a2a58fa31070237884d1a56dcedc23768768a94b4433d80a9f5affa5ae1aae8dee55a189026fa3fb68c2d433da4f7a955c13a46b314194583e
-
SSDEEP
3072:P44CG54MEA4qmNCNqiSnVm6BY1T2gg/HvV0qZ1+ipTraV8u1VcGLT9XM:Aveu/TMsiaeA/H/P+Ck
Score7/10-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
9dc5600bedda76a29aa0e33da951fc30
-
Size
504KB
-
MD5
9dc5600bedda76a29aa0e33da951fc30
-
SHA1
9daa8192ef8b03ee276de60e656a56b88ec2d074
-
SHA256
e966cd1651a960bc88f3582b328d274b2cbf2b84d59df761cbcd1702c38d5a14
-
SHA512
96e37c9a6342d09799138a97e1928d595aabf36ee5a250d7bba5c3397117a6bb0d19063cf305e1af6799aad6fbeb9257d429454340953203118fa288a0f74804
-
SSDEEP
12288:8RFO4oYvuoQouswXH06WAx5HSbr8z9i7+pvdCWtO:8TO4UdrE6J4r8zw6Rsh
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Acwpn.bin
-
Size
7KB
-
MD5
5828f5213c4721e4118b3e57388ff2a5
-
SHA1
6737cd48c485ed00f64d56f2996cb0a4b3e16db8
-
SHA256
1c1198c6de9cf636d4dc103add73a59ba3101ae38954f20f0ec6ed9b8c563dbd
-
SHA512
e90cc6a7debeb334a5569f0a69c3b1ef16d8a1b43ef3decc10bff8ae0e510e3e4d3ae8ca838fd4bc090aaece07c6ae0ab5a38f27aaff86e17e322b3e290cf428
-
SSDEEP
96:wUUIQg0soU3QSQKCJdsYB3TtmXdtEkdpBxNbFnU:wUUIPDQdsYF0tzbHk
Score10/10-
Detect PureCrypter injector
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
DHL SHIPPING DOC PDF.bin
-
Size
1.0MB
-
MD5
6d452842eeb2efa505763049d59c553a
-
SHA1
e13f2202155e12573a985b5df24319e5320f588e
-
SHA256
52e2a0d6ec4940ac71db48d62f8de4fa9ea7ea4a0abfaff91175ea2e0ec0d998
-
SHA512
c37faf01a77690351e6cd47196821dddca39a3df07a9286b17e2916fc107429ddadc5dc9fa695bfb52ab8105a1e41b1367c6d68472dac64ecb47f9a9be4add54
-
SSDEEP
24576:uL5mA6W5L4EAyxtiH5wkm99RtPK7TQXQyRU5JqG4yPa:eJ41OtiH5wbbRucXQyRU8
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
Halkbank_Ekstre_20230129_075423_612150o.pdf..bin
-
Size
461KB
-
MD5
51505dd088beb3a3406dab4bcfc0090b
-
SHA1
7efb628f6b348b0f19360241f3f0661419617bc7
-
SHA256
5f16e8c1fef7f5f311b814b10f7b9e9b1ec3c204075fb8bb48ac207e256ea208
-
SHA512
dc05dc73895114c6025c986d696a3a6044c26f2e6e2c5863c33a7806461033f99ae2dbae153cdf1c1d2b93ee9686bddf98d2b58759e13aef923dbf0635e3166c
-
SSDEEP
12288:GENN+T5xYrllrU7QY62YrTNbwcD/xtDmpfJuB3:K5xolYQY62YrZ0nfs5
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
INVOICEXANDXBANKXDETAILS.doc
-
Size
8KB
-
MD5
a8caccc115c0ee90a947c31c8e3a452a
-
SHA1
42324c751619e2217c9879cb6bc312061d56639b
-
SHA256
6f0318fc63a3a123bc36c8c9765852b56ab83083a2f0c1338d8d3493e7273802
-
SHA512
b72a0e6edac3cd46353555234b56daeb44058a05aadfb37e6473f8ed8f7913d36c4f85009ffc693b34f4a4beb7bf944ce9008c2ed396a2caf0a8bc10cca5cf96
-
SSDEEP
192:3MHQcSUhRFs+McjIitJd07ab02yvQsqTLjFrJcLurIw6ZOzU:cHFthP7McjZ9oazJTLjFNcutaOzU
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Maersk Shipping Docs.exe
-
Size
618KB
-
MD5
44d5f28d8c991060173cb3656c41c5f8
-
SHA1
a84aae8b5f67d315ce5a38ad09ddef4400dbc0b4
-
SHA256
f9aa33269f7d56d6a16db1c91b5ce0df11fbe25c50d2c3f2222e07b83098d212
-
SHA512
55bd716b64c97da1b4dde39e7b0da03703ced82733a1cf6a6e33a236c2c66a3462bad1dba2218591e835a0d541d054b4e180b412b59493d7c660ddf420277d3b
-
SSDEEP
12288:BmsaDf3H2cE2pmlWmYwaiwHliNj6Weh3ih9HnA:BWWmcZs80BYTA
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
ORDER INQUIRY 20230201.bin
-
Size
1.1MB
-
MD5
4bc918bf6311c5b753c353efd306547e
-
SHA1
9b7301fc448a6d9564e6b984363190ffa88ab891
-
SHA256
89f4203e055ad6d3b40b74d683ed1ca0436ad4df41c3456f23134c4a15eb6c13
-
SHA512
0d9b575c93cb73de5cfc175335f72cefb8b9d3f5d5e90ab1353b0362fbde0bbcfc288fa5039759fb92ad0154e836c3cefb9636e7a108d5706023611e1ac93cfe
-
SSDEEP
24576:peOaJr8zw6RgDlCwwWbYqhseWy97+3A3Me83RAiTH/qc4N34:pAJr8zgDlCww6YqhsOY3OKhAiT
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-
-
-
Target
PO-8372929.xls
-
Size
461KB
-
MD5
e08cf4b188d5f8bf190189983b262ea7
-
SHA1
f84bb8baa69ca833c271697dded917bdf710c4ba
-
SHA256
a9c45f9d9af92c5a6c64c679414488d0d60916b501768379f8ca5e15d8955bab
-
SHA512
d7f7fb63b80a26cd8f02a38bb5ad757441013a81ad190072abdc896a9d800f4079ec28f6653acb78b17c494e6425ef35d2d297e5083a06182b91bd49e3bbdb07
-
SSDEEP
6144:2PXZ+RwPONXoRjDhIcp0fDlavx+W26nA1V0Y5ObF0I5eMFRI5elF0I5exF0I5eC:W6GYmWIvjIcWImWI
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
QUOTATION 1.doc
-
Size
36KB
-
MD5
af48f996012aa84711c7d65663e1515c
-
SHA1
5698857cc572dcca43a21fd89ac2f68081f1597f
-
SHA256
ac32a1e6ae4396b358a90a8c11686346cf1951c4e51eab84960dd8f307d20aa3
-
SHA512
83030992b26632aa58d318f77590f3169bc4c2bd0a4256199db0a4fcdd288d98da37b2a58f81c09ea13d3b2f25bb44cb25ffcba50d7eb274001b64cb628185eb
-
SSDEEP
768:bFx0XaIsnPRIa4fwJMiUT08fDW3Tg3LUq1QTyi5EjKsKTYs/qX:bf0Xvx3EMiJ0DWc3LUqmTyiEj3YriX
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Quotation.doc
-
Size
43KB
-
MD5
119ce65d4a9e479cd494c1a6de72c586
-
SHA1
812bc57420005036eca281e3210dc6827709c4e1
-
SHA256
f108a18c3b7eb3ba3a30f7535eca4e0a0a1901323052bea2156f67a9cb89788b
-
SHA512
2854dd8bcbeebb93a395d1281ee240e177eaa1fa774a4b522bf8d24014e9db84d6140db471de8c356a894444232057cf74de62204cb0b3684b9d1643333bfb3b
-
SSDEEP
768:GFx0XaIsnPRIa4fwJMY3l5KAnFeunXaPAdLNv+YF6pNxfwvtyrDwmfwt:Gf0Xvx3EMSKdu+i+YF6p7wFyrDb4t
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
e1cf59372694c7d46d84d0139b40d41b
-
Size
874KB
-
MD5
e1cf59372694c7d46d84d0139b40d41b
-
SHA1
d98fe7072196e71d5cb8388a7f6d62344ab382d9
-
SHA256
cd8be35dfd9e75a60f5f1aa9b9504823b887533f220617e65244eb9d8a0f8acf
-
SHA512
d95e2feb5062ab08168b62f0bd491d393aa02994b27aa3830fdc3c7de3f25460e03ea1e87837935e634634c68797689a637e0dea4560e700c1cd974d7f9cfac9
-
SSDEEP
12288:GWcoiHoylpLYR7aV0Hp615ExN0nmjkYIZsiSbHRry5rWeh3ih9HeA6RYcJbezuyc:GNoizkO0Hp5JyZAbHReBYTf6RBo
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
macintosh.xlsx
-
Size
776KB
-
MD5
f39fa9ca70c1acce62be880ee713e8ef
-
SHA1
0322f8b96aa93a7ee08533caac82bfdc89f660c0
-
SHA256
3590e97c8e6c65becfce92c63e164a2c808e7e9cb366cfc4c8ff76d7cc28a831
-
SHA512
6464d892bb2b98c6340dcfd118a870275d35a99d45f1cf8117c3971cd3a38d418388bb04385e45cca9e68ddf2060099ae29b4bfdf25e90940d436517493cbc69
-
SSDEEP
12288:BML7nvXmvR+hfBScVzn8HrDTUpU5HiiElrg2dFZI6ARIN2JmGbh3mv/IQzwISMIF:ImvRgMknUvQsMzfILRIVJ8v
Score10/10-
Blocklisted process makes network request
-
Drops file in System32 directory
-