Extracted

• • Target

    Airwaybill and Shipping Documents.exe

  • Size

    1.3MB

  • MD5

    617789256861bff10285a69537dae7f4

  • SHA1

    76bdfb6df8a14e654654d52eddc768616e9702f3

  • SHA256

    7728135e7ed9dd45d6e34faf84fd68e3cb14f30f7e2a17724e8cb06d1bf0212a

  • SHA512

    0ddd43bb735680fc89d0ede6d2e5c945bf3f7122e41b02debc9e1715e518f226c28683c62e6df27d8967be213d9b0973bc680d6068c4698f0e5b2b87682f885f

  • SSDEEP

    24576:t1W+LlzLRXSargVFPwvMoKwGGZGHygUzYBHVNSD:/rLl/9DEwWS

  Score

  10^/10

  snakekeyloggerstormkittycollectionkeyloggerpersistencestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2