General
-
Target
184285013-044310-Factura pendiente.zip
-
Size
559KB
-
Sample
230327-rw4vfsdh38
-
MD5
2753522889f3d3938c9f6dd69b66dafa
-
SHA1
649d87148965f0a5ecde58b8ccc6fd90316bfd95
-
SHA256
6d3df181ffbb8c0b15c08aed7b74ff3bd81bb41d356c7e5249f720d04e14f99b
-
SHA512
09499dad99213347064dc24487cbe0295ece527f11049248221b3a9d39b6fb5783bef0d2ad43a3be4f6564d7aa2a3acc8bd7fe16e096b341418578f985541b66
-
SSDEEP
12288:+63gIueiQm6IkMiNUEl3+Zrl0a9D+qnDSXALnWocaLqw:+6weRm6jMWV3+JD+qOGn
Static task
static1
Behavioral task
behavioral1
Sample
184285013-044310-Factura pendiente.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
184285013-044310-Factura pendiente.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.eversafe.pt - Port:
587 - Username:
pulqueriamonteiro@eversafe.pt - Password:
Ev3rsaf3_2021 - Email To:
williamsmith8135@gmail.com
Targets
-
-
Target
184285013-044310-Factura pendiente.exe
-
Size
686KB
-
MD5
639ea89052d1e5e3b27bb26e4641a33f
-
SHA1
232f7c7c342a6f8935719aaa66cb5b30ee14baf0
-
SHA256
6966144426edc4d696a5cae07695d56532e5c960c845fe1c1c9efdaddb130754
-
SHA512
e6bfe76258f13b95fa62b4b5ca7052f2f9c1df115cd15e765f505e73843825006a349ec496ced444870a0fc9bb6c58207bf8398810228422c5f8924b3499fdad
-
SSDEEP
12288:PMw4EAPcLqtueAQQ6CkGi1UET3yZrn0aHDyq9DSXALFWUcaLUZ:PMwtAPcLqEenQ6dGIj3yBDyq0GKZ
-
Snake Keylogger payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-