General
-
Target
mkpub_akibet20230927.7z
-
Size
331KB
-
Sample
230929-g25zlahe75
-
MD5
6f5042cf3779db5691ffb84d1a2d1e52
-
SHA1
ade2dd90364900ba831d28e9ea01db4a854a0933
-
SHA256
0b0079bd1fbe84ee7868e980e179d880b9b09859992fad67eed527ce128db612
-
SHA512
b0458ca6771015b4ada581095b08f772c715ce9d2e91cac65b75f76f3a73a1d9b7fc8b5781507e845ca8381363ee1d57ecb3027907f87e0407edbf7167a0cad9
-
SSDEEP
6144:zW3C7ud/15VjBkHiBsJkqFcxVnqRgm+s/LQdfqegg1h58rtDi1UrmPvN43cbA6dg:zkC7uB15ii2DFc2RX3c9gihixc63WA3
Static task
static1
Behavioral task
behavioral1
Sample
akibet20230927170129.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
akibet20230927170129.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Targets
-
-
Target
akibet20230927170129.exe
-
Size
396KB
-
MD5
1d9c34dad928bf8f79e07b02a626b608
-
SHA1
3af26a4f24a669b938bc128facc704f8751af8a5
-
SHA256
4bccd7f3cfb497ee38b259be7fce0df77b6da86d3651216e0308ca24dacebafa
-
SHA512
35498836099599e90636a6c04556845dc6b64f2680b854422fa38f17f573f8d8e3ad83e24ff51dee632d0c5b17edd0ef983a1ec66d2c7417ffd69da0dc7b0d9c
-
SSDEEP
12288:/qVOUuA1e24EcORX7c9r+hiUTFJ+kBNyuoCz8Unayi:7FAMEP7nhFJ+sFFq3
-
Snake Keylogger payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2