General
-
Target
ffccc74b2625161d73ba369bdd931438ff7d4de8ff092423541fce4b818c99b3
-
Size
286KB
-
Sample
240417-rpy1madb6y
-
MD5
a134997a2d4d1e2caf0d6eae1ccbed9b
-
SHA1
e12577eff1215115a2914325f67b35be8c7b8911
-
SHA256
ffccc74b2625161d73ba369bdd931438ff7d4de8ff092423541fce4b818c99b3
-
SHA512
1bd71888d88112e5a859d60fc5752951f9b575eb292c19720ab87e22810b0b375be9dc4d89f111d6001c067919169bf9c0bbd9f3b7f87dac6591fbcf88d4935a
-
SSDEEP
6144:f+7EEONfYnebCip4d+qT5LJykQGwyrngnuYM3ZcYj0shAk2PtP6eDOgxfx:fpEONQeeeZqFLJ3QebVt3Z/jzakmtP62
Static task
static1
Behavioral task
behavioral1
Sample
7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
snakekeylogger
http://varders.kozow.com:8081
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
Targets
-
-
Target
7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
-
Size
333KB
-
MD5
b9d77c2410b5808b0e703395bb2907b7
-
SHA1
32e61029b0c3c25c56d5862068a3410a30a7670f
-
SHA256
7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04
-
SHA512
c9c9110c22efd1c246f289396cc00c2e2cccef97e37914a73430fa08b7ea6e8b94b61c602ea82fde28e0e956894c01fbc44d9c105902684ac5b4b83bb3388614
-
SSDEEP
6144:mTyLMh4wMzywrWIq/2K7SBBMIARmCmwOE7bjVPJcfsduGAnx:LLMSewr9hBSRmp6BPJU7GAx
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-