Overview

overview

10

Static

static

3

QFL2107086...df.exe

windows7-x64

9

QFL2107086...df.exe

windows10-2004-x64

10

SO06598270...df.exe

windows7-x64

10

SO06598270...df.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04f5e82f294127ad6d17b5be54ca4d8a

  • Size

    1.5MB

  • Sample

    231229-1tp3yscde5

  • MD5

    04f5e82f294127ad6d17b5be54ca4d8a

  • SHA1

    1d76a53a5c83d4ec5898e37cd414e8fcdaf21704

  • SHA256

    2bd56fc7272ef5778feda356b57529bb6e3b4223cfc84bc4084a23984cb9a73e

  • SHA512

    222ae1302aba5c412080c0a2317fc212036bd715ebcff7ba26690ec697f8c34d5e75dd420a92c81636fb461ae09c344056fa60dbf1c2fc174eef22670a8b52de

  • SSDEEP

    24576:W8pDseCjSQlRqo0cG/hRLLDrsZeQowE8s5ewngfkWv9tbuY18Gc7JP+OOtVO6zBV:d0SOkzmVae/8WlO1+OyrR93

Score
10/10
snakekeyloggerxloaderipa8keyloggerloaderratstealer

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ipa8

Decoy

royalposhpups.com

univa.world

lanerbo.com

shopbabygo.com

theutahhomestore.com

serialmixer.icu

linfeiya.com

xn--12cg3de5c2eb5cyi.com

am-conseil-communication.com

dailygame168.com

therightmilitia.com

visions-agency.com

mapopi.com

frugallyketo.com

guapandglo.com

54w-x126v.net

your-health-kick.com

blockchainhub360.com

registernowhd.xyz

votekellykitashima.com

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    25
  • Username:
    admin@evapimlogs.com
  • Password:
    BkKMmzZ1
  • Email To:
    nonyekeylogger@gmail.com

Targets

    • Target

      QFL21070864140HQ-pdf.exe

    • Size

      1.0MB

    • MD5

      dc1d2738ba06e1287d61bab41bdb587f

    • SHA1

      29220b1a6efc6eee9e6691fe09c8ab001ecb07c4

    • SHA256

      8d14d34bfe71397c4afe1a39bd68139f0d044f21e4cf5eaa43fc8fc15cb74d82

    • SHA512

      2f056a5ea3adcbf35cca58c820e806718498aadec7bd552c138bb9f4076bc9a959e8412f9a9c5298bff1b9969b675142c52f6f0b4f11c13e6c40e79c8a2d163e

    • SSDEEP

      24576:MAfuE/aqagftlM1vj9L5O5Fx85/drK64JCG4RoyCcbO82QsFKw2L9:MAfuE/aqagftlM1vj7OgK64JxqkcbeK9

    Score
    10/10
    xloaderipa8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Xloader payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      SO06598270-PI#JARA03-pdf.exe

    • Size

      998KB

    • MD5

      2d472944cce2a1a6664c29336004f22c

    • SHA1

      2d88407509c184f6ea85f81910f4c81dc118499b

    • SHA256

      5abec5e92048d2cf64785ed4a873acc4fd88be7d361e47b5508753bd43eeafb2

    • SHA512

      b4d24ccd5a345fbcd845b7cb4176bb23e5bc42a8e1e4302ba7d2a4c67864ff7e266351e3910ba32eb4799159e3c35d7465cb4fa6fe4324255b82bed377f21cf1

    • SSDEEP

      24576:JoFGjUhRm/dFgaK64E3MyOvAcamEe/aNF0ZoR:CFk69aK6443OYO0Noc

    Score
    10/10
    snakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix

Tasks