General
-
Target
ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9.exe
-
Size
935KB
-
Sample
240502-cgb4kagb34
-
MD5
e708aa3160e224de971421d5bc2fee29
-
SHA1
7db6e4d3e5e2db1cd12717fa9a62a35a52834c02
-
SHA256
ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9
-
SHA512
47bff81600e4ff9e0a4fdbfa5f16141057bfca9fc0117cc2950428f6c627830482fc683c942a48ca77d37c3f4031d2585999453ce7c877eba6428cfe9ed2eff2
-
SSDEEP
12288:zjU00pFjzc/AKi9r4atz4fM3F58HMiEJy54ll8zhc6O6vo6Oh8IPMbP:L0s3iN4atkA/8Rze78zbP
Static task
static1
Behavioral task
behavioral1
Sample
ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.qoldenfrontier.com - Port:
587 - Username:
[email protected] - Password:
%2WMoWREUv@3
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.qoldenfrontier.com - Port:
587 - Username:
[email protected] - Password:
%2WMoWREUv@3 - Email To:
[email protected]
https://scratchdreams.tk
Targets
-
-
Target
ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9.exe
-
Size
935KB
-
MD5
e708aa3160e224de971421d5bc2fee29
-
SHA1
7db6e4d3e5e2db1cd12717fa9a62a35a52834c02
-
SHA256
ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9
-
SHA512
47bff81600e4ff9e0a4fdbfa5f16141057bfca9fc0117cc2950428f6c627830482fc683c942a48ca77d37c3f4031d2585999453ce7c877eba6428cfe9ed2eff2
-
SSDEEP
12288:zjU00pFjzc/AKi9r4atz4fM3F58HMiEJy54ll8zhc6O6vo6Oh8IPMbP:L0s3iN4atkA/8Rze78zbP
-
Snake Keylogger payload
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables with potential process hoocking
-
UPX dump on OEP (original entry point)
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-