General
-
Target
rCommercialoffer_Technicaloffer_pdf.exe
-
Size
642KB
-
Sample
241030-rvpn5svglb
-
MD5
4806339fc2f24f3bab7fb6620826d603
-
SHA1
edc14208fcbd256801a2062dde49a52dd4f2890d
-
SHA256
5e0c5d2342ce0c3460d6c853a64efc16a89b9fe93372334d78163dfe7efb7e12
-
SHA512
70f75834b884a5a1309ca4b52b4b8d01ed63bccfd22e9fa9035ae3ac83582e46325de6f91bf39fd391db531117579170391f1a7710e8ccf67833d962b44b2182
-
SSDEEP
12288:ggu58UO/0Li3SaNlPhq7P9ekopAAT26ZvgVlmee/6BRERMHA+5QpU:gguuv0LPaNbqT9R2vgNeyTERMgm
Static task
static1
Behavioral task
behavioral1
Sample
rCommercialoffer_Technicaloffer_pdf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
rCommercialoffer_Technicaloffer_pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Tablespoonsful/Hpital.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Tablespoonsful/Hpital.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7557806283:AAFiqTWzN-gLgC-2y3c1Dz5CtqTp-HN6TYc/sendMessage?chat_id=7451270736
Targets
-
-
Target
rCommercialoffer_Technicaloffer_pdf.exe
-
Size
642KB
-
MD5
4806339fc2f24f3bab7fb6620826d603
-
SHA1
edc14208fcbd256801a2062dde49a52dd4f2890d
-
SHA256
5e0c5d2342ce0c3460d6c853a64efc16a89b9fe93372334d78163dfe7efb7e12
-
SHA512
70f75834b884a5a1309ca4b52b4b8d01ed63bccfd22e9fa9035ae3ac83582e46325de6f91bf39fd391db531117579170391f1a7710e8ccf67833d962b44b2182
-
SSDEEP
12288:ggu58UO/0Li3SaNlPhq7P9ekopAAT26ZvgVlmee/6BRERMHA+5QpU:gguuv0LPaNbqT9R2vgNeyTERMgm
-
Snake Keylogger payload
-
Snakekeylogger family
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Tablespoonsful/Hpital.Svm
-
Size
55KB
-
MD5
5c3047a848544b49eb82d09ed58708f3
-
SHA1
27c59daa34a25319f77d2dfe91613a4669803e21
-
SHA256
72a4194d8fcae2e4cfa2bd19dda030d1a7a05f27b2cc5197b6fceffb6b9decf0
-
SHA512
d783fa64387306adc639d5051bb153c5437ceeb1dc5abbd71d28cd2e1019209b13e1188bc94ab0ebe14cb94daba838293592361ea29451695f41d995b08c3e6a
-
SSDEEP
1536:QPchwSZoEGZC7CeFKFtsBYcmPuhjywMaJzzivfkIYFPixSk6aVM:WchwS/GZMFEMBthiaQvYJg6a6
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2