General
-
Target
RFQ_92889128.pif.exe
-
Size
636KB
-
Sample
240711-hm25tsthmq
-
MD5
33a090dccf943c2275404a12d463f7c2
-
SHA1
5fc8a3ad2b2f65d74793bb6b7cfd973e33969b23
-
SHA256
5162998410249741117aa8b3e5f565c715052caf2628e387ef3e266dafbf2b25
-
SHA512
bd690b403518b3aaa78d0ff6262822dc37b337e814ed744108e14bacd276f311a9560db307e290f144c72b15632c25f67b26e0508c11c566661717c058d21492
-
SSDEEP
12288:2xgblOLj6IUyH8LjOh/VYJgDYomJ4NnNiZHK9VForrJVHl9HAkvE1eQpT:ogh8UE6lSDpmJ4Nn8dK9VFoL3LMEQp
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_92889128.pif.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
RFQ_92889128.pif.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6586430362:AAFht6dWuqVwCGM9yLNchh9SF2eYj5iNi4w/sendMessage?chat_id=7062552884
Targets
-
-
Target
RFQ_92889128.pif.exe
-
Size
636KB
-
MD5
33a090dccf943c2275404a12d463f7c2
-
SHA1
5fc8a3ad2b2f65d74793bb6b7cfd973e33969b23
-
SHA256
5162998410249741117aa8b3e5f565c715052caf2628e387ef3e266dafbf2b25
-
SHA512
bd690b403518b3aaa78d0ff6262822dc37b337e814ed744108e14bacd276f311a9560db307e290f144c72b15632c25f67b26e0508c11c566661717c058d21492
-
SSDEEP
12288:2xgblOLj6IUyH8LjOh/VYJgDYomJ4NnNiZHK9VForrJVHl9HAkvE1eQpT:ogh8UE6lSDpmJ4Nn8dK9VFoL3LMEQp
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-