General
-
Target
documenthus20230921.img
-
Size
400.6MB
-
Sample
230924-yzy7psba43
-
MD5
632eb3ef148a5a6042730dde2482b838
-
SHA1
a91b18f5a38427c7f7d799df6f2b190f14323cc0
-
SHA256
240425b2812962dbb4faa0bf79741dca873efdfbd03a1edfd6dfbafb573b1353
-
SHA512
25c417a2b4a74d34576a9bf3727eac9a4922725222c48198842279d4fdefb7940eb5fa6f4fc847d13174ab279ef5394a7d910b2596dab33a46ed5401659881eb
-
SSDEEP
12288:i7FAPAQo3JU1HYIywtfeWUV/fzQjfqlvmTCNwmrYn5n+wuPrhSa:i76QZUk4Uh78g+ONwiYn5nCroa
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENT.exe
Resource
win10-20230915-en
Behavioral task
behavioral2
Sample
DOCUMENT.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.product-secured.com/ - Port:
21 - Username:
[email protected] - Password:
2V8SHFwjad34@@##
Targets
-
-
Target
DOCUMENT.EXE
-
Size
400.0MB
-
MD5
e2638e646b62a210e138adacb551d0b3
-
SHA1
08c84305ad48439626e5a15a49f639714c61cf0b
-
SHA256
1b82db028a2e3cfd34f3e2eec873da2e87e458b36581bebca0bc04a8d7f60aba
-
SHA512
92d3f246e4dd908c583216815f3f9e421172d270b26c2a7a592c135b7876fcc6075ba741621f428be4cce664e7071475745dd510fdc6e479d81053acae9944bd
-
SSDEEP
12288:E7FAPAQo3JU1HYIywtfeWUV/fzQjfqlvmTCNwmrYn5n+wuPrhSa:E76QZUk4Uh78g+ONwiYn5nCroa
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-