General
-
Target
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
-
Size
692KB
-
Sample
231011-q2y1qaag3z
-
MD5
f0683bb61a43a8dd7061dbd8ee3af88b
-
SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989
-
SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
-
SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
SSDEEP
12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH
Static task
static1
Behavioral task
behavioral1
Sample
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Targets
-
-
Target
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
-
Size
692KB
-
MD5
f0683bb61a43a8dd7061dbd8ee3af88b
-
SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989
-
SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
-
SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
SSDEEP
12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1