General
-
Target
Payment Request Review.exe
-
Size
691KB
-
Sample
230505-p8metsaf79
-
MD5
2ff4d870cb02831c65b73f1d0205ce09
-
SHA1
4ec739c65bc70acd3cbcbddc249630e77754acc5
-
SHA256
9a97d9127c4f8158ec393f7e0c47bd056fe6eee6c76c05600dd0c219d1de405f
-
SHA512
3b8190b413a8969bb8377f5918f2d2e4f4d096440be54f2bd6a7b4918e9e88656716b57b4d5ac8bcef7eb5ff39ea7d9e5e21b6e8581eb44ef56132da45ff7aa6
-
SSDEEP
12288:5c77oMdswXyP1+k9fR4fG0KmuV1By7o/7EK+jQvCiy0zhW:OkkfbuGc/78QvCi
Static task
static1
Behavioral task
behavioral1
Sample
Payment Request Review.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Payment Request Review.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5435719278:AAFkA_rGsUomupSCBqIPHcOBw0iPF0KuOG0/sendMessage?chat_id=5666881718
Targets
-
-
Target
Payment Request Review.exe
-
Size
691KB
-
MD5
2ff4d870cb02831c65b73f1d0205ce09
-
SHA1
4ec739c65bc70acd3cbcbddc249630e77754acc5
-
SHA256
9a97d9127c4f8158ec393f7e0c47bd056fe6eee6c76c05600dd0c219d1de405f
-
SHA512
3b8190b413a8969bb8377f5918f2d2e4f4d096440be54f2bd6a7b4918e9e88656716b57b4d5ac8bcef7eb5ff39ea7d9e5e21b6e8581eb44ef56132da45ff7aa6
-
SSDEEP
12288:5c77oMdswXyP1+k9fR4fG0KmuV1By7o/7EK+jQvCiy0zhW:OkkfbuGc/78QvCi
-
Snake Keylogger payload
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-