General
-
Target
Purchase Order 0620.PDF.exe
-
Size
1.4MB
-
Sample
230602-qkhbmsbh8w
-
MD5
ce21d87f567ceca173a92c5a1b3ba148
-
SHA1
18d4d80d666d92644268f80e9eaa7946f399d44d
-
SHA256
9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1
-
SHA512
6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0
-
SSDEEP
24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 0620.PDF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Purchase Order 0620.PDF.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484
Targets
-
-
Target
Purchase Order 0620.PDF.exe
-
Size
1.4MB
-
MD5
ce21d87f567ceca173a92c5a1b3ba148
-
SHA1
18d4d80d666d92644268f80e9eaa7946f399d44d
-
SHA256
9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1
-
SHA512
6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0
-
SSDEEP
24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d
-
Snake Keylogger payload
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-