General
-
Target
b9de522fe604ad6c87cbaa01109b812e59f755e44dd134051d0f36df3929c6f7
-
Size
331KB
-
Sample
240417-rna76sbe92
-
MD5
e6dbdbf9050290ffc69e5b91f535281c
-
SHA1
6842612432f25096e5c098baf1c4ca7c22ccbf2b
-
SHA256
b9de522fe604ad6c87cbaa01109b812e59f755e44dd134051d0f36df3929c6f7
-
SHA512
ed3c9ec899f2e0a451f434a1d43cbf044a633d119b941d4a0659c4c2ce8a6cd361aef357ca6133aafb18a250f9ca94a549ad8378970e5555e6fa5f086c30af90
-
SSDEEP
6144:HQ53Ac+Ved8Z4Yw0d7I6wtV9LU7eD5ggq604vZWWx3r78Iwu7v:HQ5wc+VeWZ4Yst/UaJ0kxvBv
Static task
static1
Behavioral task
behavioral1
Sample
ea53a3ff383cf9d83302a015521ec95083a4299838a7673a7c707922138b6d51.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ea53a3ff383cf9d83302a015521ec95083a4299838a7673a7c707922138b6d51.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
25 - Username:
county@valleycountysar.org - Password:
iU0Ta!$K8L51
http://varders.kozow.com:8081
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
Targets
-
-
Target
ea53a3ff383cf9d83302a015521ec95083a4299838a7673a7c707922138b6d51.exe
-
Size
410KB
-
MD5
3aa4f27e5d5057cdfeb9f81fe6925ec8
-
SHA1
be5e0edb0dca42602021492ea21753a7a3b638d2
-
SHA256
ea53a3ff383cf9d83302a015521ec95083a4299838a7673a7c707922138b6d51
-
SHA512
8dbd7751405ffb1dfed9caa75f4412c03458d5ece10fe655de31083a207a256660818d9ff488c9bad88ddeb141c422c25a6d8b530bc47b9905157b758837d1cc
-
SSDEEP
6144:3tQkq7iHAOiXqRv+enKCjZ94XkYbjdfa7ib2C72BdkEKWGH7FHboEey/cZOsmz+u:viXG+aKCj7IFFfa7i6C7KGc46AmeMTP
Score10/10-
Snake Keylogger payload
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-