General
-
Target
0DCEBAC995B4FD1BA9B04FB41F9D3F9884433C2DC4EF93FD5756D40633CD63C7
-
Size
895KB
-
Sample
230718-zjr9wsdg58
-
MD5
9975350a5d5d6a0973cfdf09428991b2
-
SHA1
6fb1820fc477331b369965573fc007a27d258fd8
-
SHA256
0dcebac995b4fd1ba9b04fb41f9d3f9884433c2dc4ef93fd5756d40633cd63c7
-
SHA512
b0e60cb09199587e64e7e9d6bc5919f5e26c6778a7ca0f49bfcfd19533f5fa845d1bc1f615ad79c4eda88b55c8b45287eb250c2b7861e605489c14b2e94ae9c2
-
SSDEEP
24576:DhGTIdIMXtbcupg+qqs6GdSyGeNHnpXWTW6z:Dhi8FpFGdSfwnxWTW6z
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT TRANSFER.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
SWIFT TRANSFER.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713
Targets
-
-
Target
SWIFT TRANSFER.exe
-
Size
1.0MB
-
MD5
9e70755fa332d8cf4fdaf16845d53af0
-
SHA1
2ac4d97546e0b65bd4a7155dd554209ba29e00ac
-
SHA256
8ab395051b25a0711bdf0041c343d9a3de2a32b542ff3ee9aa1162c0e14ed28a
-
SHA512
2dcb662d3e618c07ff2f273c9cf2b1a6cac91c68a0147aa2a305400f84b5abd76cddf4d8da14315c8f9683a87de21c3c6d64d35763a6dcea0f2ab19cf4ce2bfd
-
SSDEEP
24576:NTbBv5rUan7Oq9evjU7syeVKN/5ivrWvg:HBj7Oq9eIgy0KN/5ivrig
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-