General
-
Target
f6ff5a18073b56d3a8d83195fa49486e289524729a081b5e49664f38854fe7e3
-
Size
678KB
-
Sample
230328-h8prmahe98
-
MD5
71b2e12765ab5b744e42aea118f2845d
-
SHA1
8882d7c1ef14d140f9de727207a95ef5ffb68fd3
-
SHA256
f6ff5a18073b56d3a8d83195fa49486e289524729a081b5e49664f38854fe7e3
-
SHA512
67050f92dca57dc887d11736f7722c085e29b5a6e2974ff74e9ab2182856d6246ce113123a27ef13728d31ef2fab333cf677bf488f8f8ab400e65fd168262c20
-
SSDEEP
12288:uMw4EAPcLqU6LfBVbPWxAeWqHpST3yZrn0aHDyq9DSXALFWscaLU2:uMwtAPcLqU6nPKAzR3yBDyq0G62
Static task
static1
Behavioral task
behavioral1
Sample
f6ff5a18073b56d3a8d83195fa49486e289524729a081b5e49664f38854fe7e3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f6ff5a18073b56d3a8d83195fa49486e289524729a081b5e49664f38854fe7e3.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.eversafe.pt - Port:
587 - Username:
pulqueriamonteiro@eversafe.pt - Password:
Ev3rsaf3_2021 - Email To:
vbankz20@gmail.com
Targets
-
-
Target
f6ff5a18073b56d3a8d83195fa49486e289524729a081b5e49664f38854fe7e3
-
Size
678KB
-
MD5
71b2e12765ab5b744e42aea118f2845d
-
SHA1
8882d7c1ef14d140f9de727207a95ef5ffb68fd3
-
SHA256
f6ff5a18073b56d3a8d83195fa49486e289524729a081b5e49664f38854fe7e3
-
SHA512
67050f92dca57dc887d11736f7722c085e29b5a6e2974ff74e9ab2182856d6246ce113123a27ef13728d31ef2fab333cf677bf488f8f8ab400e65fd168262c20
-
SSDEEP
12288:uMw4EAPcLqU6LfBVbPWxAeWqHpST3yZrn0aHDyq9DSXALFWscaLU2:uMwtAPcLqU6nPKAzR3yBDyq0G62
-
Snake Keylogger payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-