General
-
Target
DHL EXPRESS AWB DOC.exe
-
Size
708KB
-
Sample
230505-r9ahrsbb52
-
MD5
4a2fb0d3859d4fb7cb6c97e0a6817584
-
SHA1
fbd0fa257ac8729fa149eb323853de20469dbbeb
-
SHA256
8e2b4ef3690596ac262df39667fbc2c9cdd5870a1215fd43e1075261a5dfc529
-
SHA512
fafca38175457b61dbbd72a02ab6d75172a94b2e5800f2eded4b8f623b5a4676ec796f7ed3dd1636e3b751df1f65424b4ec3e5f13e6e1fde51e35dff88f455ad
-
SSDEEP
12288:3DMq4fyMw8CJuuJ99fRKKGNDvgeFLtZexgQKxFUTWIEMW:CS9WKGkehQquT
Static task
static1
Behavioral task
behavioral1
Sample
DHL EXPRESS AWB DOC.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL EXPRESS AWB DOC.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5799835476:AAFiZfeIZu-7ZRuBqclPng8ud3yXZLUXpw8/sendMessage?chat_id=5666881718
Targets
-
-
Target
DHL EXPRESS AWB DOC.exe
-
Size
708KB
-
MD5
4a2fb0d3859d4fb7cb6c97e0a6817584
-
SHA1
fbd0fa257ac8729fa149eb323853de20469dbbeb
-
SHA256
8e2b4ef3690596ac262df39667fbc2c9cdd5870a1215fd43e1075261a5dfc529
-
SHA512
fafca38175457b61dbbd72a02ab6d75172a94b2e5800f2eded4b8f623b5a4676ec796f7ed3dd1636e3b751df1f65424b4ec3e5f13e6e1fde51e35dff88f455ad
-
SSDEEP
12288:3DMq4fyMw8CJuuJ99fRKKGNDvgeFLtZexgQKxFUTWIEMW:CS9WKGkehQquT
Score10/10-
Snake Keylogger payload
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-