General
-
Target
985841663D5ADEE1A8AF60D7FF49593AB9A48EF1080A96D80B680EA9D32F5904
-
Size
895KB
-
Sample
230718-zk4z3sdh67
-
MD5
bdaba850ea91d9606cd54fc069daa236
-
SHA1
d0b79ebd2de223ad64c5b7ae593a8fc97f60135c
-
SHA256
985841663d5adee1a8af60d7ff49593ab9a48ef1080a96d80b680ea9d32f5904
-
SHA512
c72a2c917d6e739400f454441ebae2d9be03f919d6797a178fed6d38bfeddb2a3c5273381dcbc6388ef3af23e62179f1537f4bcbb3f8914b9504c565dc06235f
-
SSDEEP
24576:/hGTIdIMXtbcupg+qqs6GdSyGeNHnpXWTW6e:/hi8FpFGdSfwnxWTW6e
Static task
static1
Behavioral task
behavioral1
Sample
swift.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
swift.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713
Targets
-
-
Target
swift.exe
-
Size
1.0MB
-
MD5
9e70755fa332d8cf4fdaf16845d53af0
-
SHA1
2ac4d97546e0b65bd4a7155dd554209ba29e00ac
-
SHA256
8ab395051b25a0711bdf0041c343d9a3de2a32b542ff3ee9aa1162c0e14ed28a
-
SHA512
2dcb662d3e618c07ff2f273c9cf2b1a6cac91c68a0147aa2a305400f84b5abd76cddf4d8da14315c8f9683a87de21c3c6d64d35763a6dcea0f2ab19cf4ce2bfd
-
SSDEEP
24576:NTbBv5rUan7Oq9evjU7syeVKN/5ivrWvg:HBj7Oq9eIgy0KN/5ivrig
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-