General
-
Target
5192e989e4127439bf8d14df260b0012.zip
-
Size
279KB
-
Sample
230328-pn4tdaba32
-
MD5
70e8fbcd9dc67b76db96b0c5c1b97194
-
SHA1
7be93cca9f42653b6caa62c59c238c4c57c883b5
-
SHA256
63d94f3185860047199a4ec4b49353f460c6a22e3d303a8ec438ae4cb3761d34
-
SHA512
7ac890757fedbb1b175ac1f05c2b10167d3c33c0d051b7a5248be7167573a9ed6b8cddb11240acd3bca6c705e9b6b06ef25d25a7f28db605c8b83efc429cd3bb
-
SSDEEP
6144:09I2qA1REhrU3nDJKTgvHHNQYH16H8SmNcVVDVdiyhwO3F:iIu1CrUTJw2HNQvcSmNUEyhwqF
Static task
static1
Behavioral task
behavioral1
Sample
facturas.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
facturas.exe
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
facturas.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.eversafe.pt - Port:
587 - Username:
pulqueriamonteiro@eversafe.pt - Password:
Ev3rsaf3_2021 - Email To:
csivirus@yandex.com
Targets
-
-
Target
facturas.bat
-
Size
625KB
-
MD5
5192e989e4127439bf8d14df260b0012
-
SHA1
4ca7737e47bb98da7a2aa764f680a0f782244f5e
-
SHA256
8fdf3ed254c5e95ac1f1e6647a2ae33123c8635aff1a167c9e59fc1c7516f711
-
SHA512
bf865bf5d90592e50547813d5c909c5c784934a45b2ee4002c3dea630b7680895728c5520ebf940966d7024d07be15b954eed4185fde7f04afc099d99211278d
-
SSDEEP
6144:sMm4CCHM4NL26fgvL6p1K6tCNmeiR9zwdXcBoTo:sMwg/NL26fgvOKkCmeiz08oTo
Score10/10-
Snake Keylogger payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-