General
-
Target
59fe13a8377c30271d44777e396b6bd5.exe
-
Size
585KB
-
Sample
241009-h1njlaselm
-
MD5
59fe13a8377c30271d44777e396b6bd5
-
SHA1
27ebfc2576551267db98b26b70ab47cce0d351ac
-
SHA256
de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
-
SHA512
3d575bd19523584daed64073ac77090c54bd7354165116fc45d086cf6eb57091ba8912c09e900a3f7680e62485668c754c176da6ae22a6dc2d0e05b07ccc63fa
-
SSDEEP
12288:tnC8t19OthcGsWjeHCGvQmG7hf6b7Z2z1B9jmE:fShqWjeHTQKfE
Static task
static1
Behavioral task
behavioral1
Sample
59fe13a8377c30271d44777e396b6bd5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
59fe13a8377c30271d44777e396b6bd5.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.pncala.com - Port:
587 - Username:
[email protected] - Password:
ZE25X]4F{wQ_
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.pncala.com - Port:
587 - Username:
[email protected] - Password:
ZE25X]4F{wQ_ - Email To:
[email protected]
Targets
-
-
Target
59fe13a8377c30271d44777e396b6bd5.exe
-
Size
585KB
-
MD5
59fe13a8377c30271d44777e396b6bd5
-
SHA1
27ebfc2576551267db98b26b70ab47cce0d351ac
-
SHA256
de0cb6ebdb3de731c768933ecd33f4adf12ae6667113ca68e49538bd644cd32c
-
SHA512
3d575bd19523584daed64073ac77090c54bd7354165116fc45d086cf6eb57091ba8912c09e900a3f7680e62485668c754c176da6ae22a6dc2d0e05b07ccc63fa
-
SSDEEP
12288:tnC8t19OthcGsWjeHCGvQmG7hf6b7Z2z1B9jmE:fShqWjeHTQKfE
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2