General
-
Target
SHIPPING DOCUMENTS.xls
-
Size
1.5MB
-
Sample
230323-r757naac6t
-
MD5
518e41c69dec599380cccb991d047e16
-
SHA1
5b061c85b3c5be0079bdc830389f197c059e6f44
-
SHA256
a26cf1908d8e2e9ab6e9b3fdf31d6cb5d58d7035374cd513b459a1541cc2fc79
-
SHA512
b7f0e1f2cdb7edda83180262d4bd138f06a24a9335a4e437903806398dbdd25f4170bfe967b1cf476c73a865db3bffdf31a8957ed2683188e9a1aecaf790c761
-
SSDEEP
24576:w+3bqIKPsoGRwGtt6EaSE8hpaMNzl8raUtGCn113q49zuCr2+zm/E0IEWQNLGBuu:DrtKjG/n6Ead9MNzlMRtGCn113q496CJ
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS.xls
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5641589629:AAE7PbYkX7JPIEd1r5HHvkG2FiDsJ1HpC0c/sendMessage?chat_id=5609091537
Targets
-
-
Target
SHIPPING DOCUMENTS.xls
-
Size
1.5MB
-
MD5
518e41c69dec599380cccb991d047e16
-
SHA1
5b061c85b3c5be0079bdc830389f197c059e6f44
-
SHA256
a26cf1908d8e2e9ab6e9b3fdf31d6cb5d58d7035374cd513b459a1541cc2fc79
-
SHA512
b7f0e1f2cdb7edda83180262d4bd138f06a24a9335a4e437903806398dbdd25f4170bfe967b1cf476c73a865db3bffdf31a8957ed2683188e9a1aecaf790c761
-
SSDEEP
24576:w+3bqIKPsoGRwGtt6EaSE8hpaMNzl8raUtGCn113q49zuCr2+zm/E0IEWQNLGBuu:DrtKjG/n6Ead9MNzlMRtGCn113q496CJ
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-