General
-
Target
8802523573754C8A6930339E8367D599C03D612F5FACE78C938350FA1EF8BDDC
-
Size
895KB
-
Sample
230718-zkkw7sdh44
-
MD5
041d72959c43ecfd7ce4b4ed5bdc6bcc
-
SHA1
a94cc16fa004288bd851d47d7595dd4411ecdafd
-
SHA256
8802523573754c8a6930339e8367d599c03d612f5face78c938350fa1ef8bddc
-
SHA512
2fe118d9cbb6abf55e5bcf2f3fc908e4e0d4f2995ea34926021c6b5fc320314ba41236d9132f3062cc714842c408e2fd9027d5ad0f6cb95166d3eb14627c6416
-
SSDEEP
24576:UhGTIdIMXtbcupg+qqs6GdSyGeNHnpXWTW63:Uhi8FpFGdSfwnxWTW63
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
PROFORMA.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713
Targets
-
-
Target
PROFORMA.exe
-
Size
1.0MB
-
MD5
9e70755fa332d8cf4fdaf16845d53af0
-
SHA1
2ac4d97546e0b65bd4a7155dd554209ba29e00ac
-
SHA256
8ab395051b25a0711bdf0041c343d9a3de2a32b542ff3ee9aa1162c0e14ed28a
-
SHA512
2dcb662d3e618c07ff2f273c9cf2b1a6cac91c68a0147aa2a305400f84b5abd76cddf4d8da14315c8f9683a87de21c3c6d64d35763a6dcea0f2ab19cf4ce2bfd
-
SSDEEP
24576:NTbBv5rUan7Oq9evjU7syeVKN/5ivrWvg:HBj7Oq9eIgy0KN/5ivrig
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-