General
-
Target
Payment copy.exe
-
Size
699KB
-
Sample
241022-k9k6yazejj
-
MD5
24e9f7248721532221948fa1967ee60f
-
SHA1
6383f2e95ddd7abd76f0be41c98c2f0251144f9f
-
SHA256
aaffbb91c846cc38793ba7ad53bb5b72487a65fa430e4caec3993d22b28cbf21
-
SHA512
a8f950a5d35cd972d5b6498e386f33968c34f519d97b5d037638cb97e6f226ce1f2fd01caf286fe7b46d24723b55cc0024da399633f93e7c8595fedaff55812f
-
SSDEEP
12288:QHuE6cx+QCxBtQ7LUUV00q5+2Glo1XmVUiFK+YPbGxLuyNKBXeQU7:5cx5CxBJUV0fGmSFWBeZ
Static task
static1
Behavioral task
behavioral1
Sample
Payment copy.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment copy.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.financ-fire.com - Port:
587 - Username:
financ1@financ-fire.com - Password:
W6otxNGOdwF9
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.financ-fire.com - Port:
587 - Username:
financ1@financ-fire.com - Password:
W6otxNGOdwF9 - Email To:
ava386960@gmail.com
Targets
-
-
Target
Payment copy.exe
-
Size
699KB
-
MD5
24e9f7248721532221948fa1967ee60f
-
SHA1
6383f2e95ddd7abd76f0be41c98c2f0251144f9f
-
SHA256
aaffbb91c846cc38793ba7ad53bb5b72487a65fa430e4caec3993d22b28cbf21
-
SHA512
a8f950a5d35cd972d5b6498e386f33968c34f519d97b5d037638cb97e6f226ce1f2fd01caf286fe7b46d24723b55cc0024da399633f93e7c8595fedaff55812f
-
SSDEEP
12288:QHuE6cx+QCxBtQ7LUUV00q5+2Glo1XmVUiFK+YPbGxLuyNKBXeQU7:5cx5CxBJUV0fGmSFWBeZ
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2