General
-
Target
4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7.exe
-
Size
504KB
-
Sample
240727-bqjdkaxerp
-
MD5
967175d3aa79388fd8e84ccbf0b998c7
-
SHA1
9bb041c883354d306a22ea0faf9c8deecd9f14c0
-
SHA256
4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7
-
SHA512
e9d65b50fd28f0fc13c88c7d515906f32e29b6a545f0b5ad2bf0d16a83f7bc619d698cd6ae5e294f1a419d3dc5928cc86176b551578d665dda8fcb451f16003b
-
SSDEEP
12288:KrHa5vF0t2/Vdh44WHdaZOyWtLLH4PgRuHTJnrwY:Ka37dd7sdaZdITRATJnrw
Static task
static1
Behavioral task
behavioral1
Sample
4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.erkanlarofis.com.tr - Port:
587 - Username:
[email protected] - Password:
19261926+-
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.erkanlarofis.com.tr - Port:
587 - Username:
[email protected] - Password:
19261926+- - Email To:
[email protected]
Targets
-
-
Target
4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7.exe
-
Size
504KB
-
MD5
967175d3aa79388fd8e84ccbf0b998c7
-
SHA1
9bb041c883354d306a22ea0faf9c8deecd9f14c0
-
SHA256
4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7
-
SHA512
e9d65b50fd28f0fc13c88c7d515906f32e29b6a545f0b5ad2bf0d16a83f7bc619d698cd6ae5e294f1a419d3dc5928cc86176b551578d665dda8fcb451f16003b
-
SSDEEP
12288:KrHa5vF0t2/Vdh44WHdaZOyWtLLH4PgRuHTJnrwY:Ka37dd7sdaZdITRATJnrw
-
Snake Keylogger payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-