General
-
Target
Gsoclhmbn.exe
-
Size
31KB
-
Sample
230721-gjk7gach2z
-
MD5
cff7a757c7546ed630d63f863cbac4c5
-
SHA1
9a6fa9c033c0f6c0dbe4695210e63f72d60c4950
-
SHA256
e0f99651e49f6c8aa666a1847674bce2133a0d39e3e3e503f7159601ff02ff2d
-
SHA512
82bced4b93e21b633aa98c241ca5495c7f457e6def65626e390fe5639f9aef7f05a57ddf444dd1b7f61905d1e3d91cf876b86285704abb2ff10bd34d7a30cfab
-
SSDEEP
384:Ul1OhjCIuJyOoZsyZGtzoKx1tO5Iari+7gvJG3/:Q6eyZkc6O57YhGv
Static task
static1
Behavioral task
behavioral1
Sample
Gsoclhmbn.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Gsoclhmbn.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6362226928:AAEy_YKrGOhDs-QKpzHM8bwWaBrcjSBTM4A/sendMessage?chat_id=6373691592
Targets
-
-
Target
Gsoclhmbn.exe
-
Size
31KB
-
MD5
cff7a757c7546ed630d63f863cbac4c5
-
SHA1
9a6fa9c033c0f6c0dbe4695210e63f72d60c4950
-
SHA256
e0f99651e49f6c8aa666a1847674bce2133a0d39e3e3e503f7159601ff02ff2d
-
SHA512
82bced4b93e21b633aa98c241ca5495c7f457e6def65626e390fe5639f9aef7f05a57ddf444dd1b7f61905d1e3d91cf876b86285704abb2ff10bd34d7a30cfab
-
SSDEEP
384:Ul1OhjCIuJyOoZsyZGtzoKx1tO5Iari+7gvJG3/:Q6eyZkc6O57YhGv
-
Snake Keylogger payload
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-