General
-
Target
FRA03202327.rar
-
Size
550KB
-
Sample
230327-pzzc2afe6y
-
MD5
963503ce0209c8634b0a10b33351f033
-
SHA1
5f4124852d3fe47a7d5565d6c0e7fdd4ac4a68f2
-
SHA256
7538b0de3fda6887fa9faa165bf19955c29841fda9a254cba8c7b2f93c9a1658
-
SHA512
496326e45b4b5a66d9c6ced04989aad5033b9fe5923e0c9a37de00b7b048318774ad69bfa2d85ca8e94a5445ccb4deef48159cc1660f93f072a3cb9ce430721d
-
SSDEEP
12288:wN5y35xG7Ic21G7sKprhfX07p11KnikN1wFLAQBoZ:wm5wCGIKprdXQp1UiGVZ
Static task
static1
Behavioral task
behavioral1
Sample
FRA03202327.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
FRA03202327.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.eversafe.pt - Port:
587 - Username:
pulqueriamonteiro@eversafe.pt - Password:
Ev3rsaf3_2021 - Email To:
frametime17@gmail.com
Targets
-
-
Target
FRA03202327.exe
-
Size
682KB
-
MD5
a03f166e1ac1dbcd11eb8b38caa1cddd
-
SHA1
da98430dcad69ec69931629ad0502b914118cea9
-
SHA256
b6252d1920c72ca9a171d28353495c48cbd053bfe59d4a4fac747cead3b08aa8
-
SHA512
76b61b043768c2d2ad19601e91d6013bbb4e4ede950b754b36bdfecddf3bcb842398c01bd5b2c377fc72d6b8527f02f27ae553f1ef132804312e96e2b0f1b851
-
SSDEEP
12288:JMw4EAPcLq/BfWXbZsUBxKHSQBaAT3yZrn0aHDyq9DSXALFW0acaLUJ:JMwtAPcLq/ByNsQyBv3yBDyq0GR3J
-
Snake Keylogger payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-