General
-
Target
dhl Express awb _ docs 73907708353. _17.09.2024 %100%_docx.exe
-
Size
704KB
-
Sample
240924-lbxbzssekh
-
MD5
eee8b251e71cc62d8a72ea6fbc17269d
-
SHA1
ef43ff6678751509bf935be71f843ecff14715a6
-
SHA256
8ad2ef802f671041655e7acfbf210c575eb91a28db87bbc9150c3b026ed71e0f
-
SHA512
acaabc27d648751e9b08cd57d76b953a94d121b7b373453654ad342d49fc89310c8a1037d5e3624e9b80335beb1c3515fada843e60a6c50ced4d0a39d65a7528
-
SSDEEP
12288:SeqYIb0v0oNVYQWVv5Rf1t0i6Weps5/OM9YSdZgSydoK9yIlAJx/5Vb72VSBZUHa:Seq3hosQ8vvL3Ks5/OWYSkSQ9yIgV3nT
Malware Config
Targets
-
-
Target
dhl Express awb _ docs 73907708353. _17.09.2024 %100%_docx.exe
-
Size
704KB
-
MD5
eee8b251e71cc62d8a72ea6fbc17269d
-
SHA1
ef43ff6678751509bf935be71f843ecff14715a6
-
SHA256
8ad2ef802f671041655e7acfbf210c575eb91a28db87bbc9150c3b026ed71e0f
-
SHA512
acaabc27d648751e9b08cd57d76b953a94d121b7b373453654ad342d49fc89310c8a1037d5e3624e9b80335beb1c3515fada843e60a6c50ced4d0a39d65a7528
-
SSDEEP
12288:SeqYIb0v0oNVYQWVv5Rf1t0i6Weps5/OM9YSdZgSydoK9yIlAJx/5Vb72VSBZUHa:Seq3hosQ8vvL3Ks5/OWYSkSQ9yIgV3nT
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-