General
-
Target
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.doc
-
Size
10KB
-
Sample
230220-yenkgadh9v
-
MD5
73eb1fe347f4570fa1fbcbd6b5130f54
-
SHA1
dc5df0f94c44ad73c16df705f042a88c21f641cc
-
SHA256
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd
-
SHA512
2cf93df5e0cf20037629f5ff99f0969031ac09aa12f1e3e2361f9b2b7852023228fea71684d137e721856bc844aebe210370c2bcc8b801452820fdb3f405a175
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OLO7qus+1pReDnc37FSR:SPX+si10ni4OnyeDnMJ2
Static task
static1
Behavioral task
behavioral1
Sample
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://WEEEERRRRRRRRRRRPPPOOOOSSSSSSSOOOOOPPWEEEEEEEOOOOOOOCCVVVVVVVVOVVVVVVVVVVVVVVVVOOOOOO@1755848856/O__O.DOC
Extracted
snakekeylogger
Protocol: smtp- Host:
citalmet.com.ar - Port:
587 - Username:
log@citalmet.com.ar - Password:
payment@123
Targets
-
-
Target
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd.doc
-
Size
10KB
-
MD5
73eb1fe347f4570fa1fbcbd6b5130f54
-
SHA1
dc5df0f94c44ad73c16df705f042a88c21f641cc
-
SHA256
0cabd94f0a906814f15908d2349fddb421d3e15d4879f8cd993c7c518d954ddd
-
SHA512
2cf93df5e0cf20037629f5ff99f0969031ac09aa12f1e3e2361f9b2b7852023228fea71684d137e721856bc844aebe210370c2bcc8b801452820fdb3f405a175
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OLO7qus+1pReDnc37FSR:SPX+si10ni4OnyeDnMJ2
Score10/10-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-