General
-
Target
c82d31e4336c62147f79668c6c033c5a669c53713f880cfba7aafd3a48f74a34
-
Size
331KB
-
Sample
240417-rnewcsbf22
-
MD5
862c5afd19acec33756ead3f664e1633
-
SHA1
b2f8648dc40c52142b5c5a41a6ee3fa5ed6d27ab
-
SHA256
c82d31e4336c62147f79668c6c033c5a669c53713f880cfba7aafd3a48f74a34
-
SHA512
2ee12afcfe1b3cc7569112db75e02655f1f0b8f672198a02726918266aaf0e57946635e7c4409508172f261897271ce04ad04d753ab89beb34298574bc88fe7e
-
SSDEEP
6144:xm8qQYNCFrPoBIBu8ntsjNi0w3V6qgnN4X3DnV90ASIDquDhM:MNQVFrgB7Eta8F3V6qO4nhBJquhM
Static task
static1
Behavioral task
behavioral1
Sample
5bed20739f13f9e82e3ea63a13440fc71a94fbd38ec7c23c72839f16ef2a16c1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5bed20739f13f9e82e3ea63a13440fc71a94fbd38ec7c23c72839f16ef2a16c1.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
25 - Username:
county@valleycountysar.org - Password:
iU0Ta!$K8L51
http://varders.kozow.com:8081
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
Targets
-
-
Target
5bed20739f13f9e82e3ea63a13440fc71a94fbd38ec7c23c72839f16ef2a16c1.exe
-
Size
410KB
-
MD5
00ad0301b4173f6d289b072bdb0d261f
-
SHA1
4eda33721659de787974694cceba304e65b3ac78
-
SHA256
5bed20739f13f9e82e3ea63a13440fc71a94fbd38ec7c23c72839f16ef2a16c1
-
SHA512
cc3ddcbd654e6c68a09a4985cba121f223739d1d44169cc079befc77b7a199e43f26216296575e9c555229f2ee96a913a4cac8bb1f649ad345c5f375802be4d0
-
SSDEEP
12288:XiXG+aKCj7IFFfaUtUC7K2uz3UeXz6AmeMOPVk2:+GHVj7wfaUtpuzXzAaPVk
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-