General
-
Target
c1bfbef8ecc32f1df3a34eca416ceafe-sample.zip
-
Size
1.6MB
-
Sample
230404-xn7h9shd67
-
MD5
6ae8c80f1b536caf23d98d5e70c85b2d
-
SHA1
4ddc793f92323dd45ae4e04661a9ba4dfcc571bd
-
SHA256
bdec6f0bf7b4d3d3b78b6173b6c9fd053d80b86c43db8a9f2e7add084e4ecdc9
-
SHA512
b2a851c2d7c7c290601a363f34ec2e1abaa10220a43a20062d574edff0baa0f0d393a6674cd5b244291ff43567058c264791b8a8a9e4e8e62357894dd4a76aa5
-
SSDEEP
49152:se9tAZSd5+LRXm9S7Ylrgza3beaK6ZR8ok:seLAZSduo9SMl+qeamZ
Static task
static1
Behavioral task
behavioral1
Sample
qbOdWSNNuqquo2E.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6241220793:AAFx6XFOw5z4Op7twC8hAqYib_mTz67Z4Ak/sendMessage?chat_id=2054148913
Targets
-
-
Target
qbOdWSNNuqquo2E.exe
-
Size
2.0MB
-
MD5
40c32c129e09d3eb618e27eb168aaadf
-
SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b
-
SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
-
SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48
-
SSDEEP
49152:6nsHyjtk2MYC5GDDMZEf4F0fVGJ2LxsL9ve049:6nsmtk2a1igSA2F0DU
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-