General
-
Target
65935c52361fcf2924b32d057820124ab299e9946eb65f1b87194569127d6972
-
Size
367KB
-
Sample
240417-rnmafabf28
-
MD5
640731511894d34d3b9908759836b117
-
SHA1
4d3871093886a52d7b291a07a5f827982809c666
-
SHA256
65935c52361fcf2924b32d057820124ab299e9946eb65f1b87194569127d6972
-
SHA512
ef19217fcc1bedd043e95f8826eab22b89b1a5fbc1a9ea28b3a6bfcdafe9944964bbf5de43fac2aa70677b363dff07baba644dd80fc3cee592b77087cc3f7260
-
SSDEEP
6144:ZkWqvrJNECEwjaOQinPvEWJTEa2VfNJpPbL0Zraj92cZQ++Lk96p2JvyIw:ZkBvrGVOTJ4tVfZPbLl93ZQHLk96pIyb
Static task
static1
Behavioral task
behavioral1
Sample
8fd20cef7ac3cda0ae24789bbc1b4a8fb6c6bc7d37c8f35d1a30a0ab5625b9dd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8fd20cef7ac3cda0ae24789bbc1b4a8fb6c6bc7d37c8f35d1a30a0ab5625b9dd.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
25 - Username:
county@valleycountysar.org - Password:
iU0Ta!$K8L51
http://varders.kozow.com:8081
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
Targets
-
-
Target
8fd20cef7ac3cda0ae24789bbc1b4a8fb6c6bc7d37c8f35d1a30a0ab5625b9dd.exe
-
Size
482KB
-
MD5
65849e25611a3437eb333d44ef029911
-
SHA1
03a2ae54834b0afc9636d850dca900f27086667d
-
SHA256
8fd20cef7ac3cda0ae24789bbc1b4a8fb6c6bc7d37c8f35d1a30a0ab5625b9dd
-
SHA512
e3c640edfb81f183702bcc30aac5c22a854299aba684960534c7ea92e40295e945e06698b499ebd89ab5d5e545abbd0f4990868774f673952538b92680219736
-
SSDEEP
6144:Tgwx34+E7+JyBKumvv1yE6d8J5FYyj2xlhIlsDs61IsKZyKpr40QBo24omWjmY4q:cYxEyVvXi8JrFUVKZQ0gowmXq
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-