General
-
Target
New PO748N23.PDF.exe
-
Size
924KB
-
Sample
230605-gmfq6aff2s
-
MD5
a8549737d61df8a9e3df01f3d4760986
-
SHA1
a5c9688cc73367761dc575ee28a15de62e650ab1
-
SHA256
a753f83785176aaa5a16f73f390110dd3f804c08c52d8e90b42ed337e461da69
-
SHA512
5e58d14dcac30e8bfb73afe16dc1fc7a689ab90abead38f89ab4fdfcd6248054d1e8d5b060c8320f8b942ba07200b6df3f7240c91ba7260997536a06a9525030
-
SSDEEP
24576:NTbBv5rUanyfTPmHkHBP2Gu1r0hspaAcKEby9IulEN/:HBjITOHkHBP2agaAcem/
Static task
static1
Behavioral task
behavioral1
Sample
New PO748N23.PDF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
New PO748N23.PDF.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484
Targets
-
-
Target
New PO748N23.PDF.exe
-
Size
924KB
-
MD5
a8549737d61df8a9e3df01f3d4760986
-
SHA1
a5c9688cc73367761dc575ee28a15de62e650ab1
-
SHA256
a753f83785176aaa5a16f73f390110dd3f804c08c52d8e90b42ed337e461da69
-
SHA512
5e58d14dcac30e8bfb73afe16dc1fc7a689ab90abead38f89ab4fdfcd6248054d1e8d5b060c8320f8b942ba07200b6df3f7240c91ba7260997536a06a9525030
-
SSDEEP
24576:NTbBv5rUanyfTPmHkHBP2Gu1r0hspaAcKEby9IulEN/:HBjITOHkHBP2agaAcem/
-
Snake Keylogger payload
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-