General
-
Target
AE11690106202.xls
-
Size
640KB
-
Sample
241001-pc26easflg
-
MD5
20e619e98752c941405d8bc0c66242b9
-
SHA1
0320eeb4e91a97d2d78f1ddb196ff09ca7a95da0
-
SHA256
5f7ede06fa8da808f891e29fcfc533fcab3f7e9bc02ad68d0e5b24fe006fcbe5
-
SHA512
1a7f5cb0e1af193d9e6e07b4653648d607c4e931b32be475c0808fdd33a55a1e4257db456f8bda32f69ee09e07ba48248163127b72939eca17619110e997bdc2
-
SSDEEP
12288:3S6nskrDE0NvKwm3HzxoO1e1ic6yWK0VceVnV2EVS7IIM:3S6nrNvIoOcl637rnV2Ey/M
Static task
static1
Behavioral task
behavioral1
Sample
AE11690106202.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
AE11690106202.xls
Resource
win10v2004-20240802-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.kotobagroup.com - Port:
587 - Username:
[email protected] - Password:
Kotoba@2022!
Targets
-
-
Target
AE11690106202.xls
-
Size
640KB
-
MD5
20e619e98752c941405d8bc0c66242b9
-
SHA1
0320eeb4e91a97d2d78f1ddb196ff09ca7a95da0
-
SHA256
5f7ede06fa8da808f891e29fcfc533fcab3f7e9bc02ad68d0e5b24fe006fcbe5
-
SHA512
1a7f5cb0e1af193d9e6e07b4653648d607c4e931b32be475c0808fdd33a55a1e4257db456f8bda32f69ee09e07ba48248163127b72939eca17619110e997bdc2
-
SSDEEP
12288:3S6nskrDE0NvKwm3HzxoO1e1ic6yWK0VceVnV2EVS7IIM:3S6nrNvIoOcl637rnV2Ey/M
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-