General
-
Target
88671a5d96d0741f41a8fab45db69ba8331ab55d6cc3fe0077ea3d7f30d82d39(1).xlsx
-
Size
435KB
-
Sample
241125-q9te7swnfk
-
MD5
adfcfa59a06bbc5a0faa8f5b0ff663fe
-
SHA1
01d4b8e70b641863727d671e9b087633f3b3a37e
-
SHA256
88671a5d96d0741f41a8fab45db69ba8331ab55d6cc3fe0077ea3d7f30d82d39
-
SHA512
0749086410e6ebaab4a23a2eb46e0bddafa134c8a704ec6b1b860a6d9016d6a6b877c2cff6be5eb5161c214fbdf731ad002fec0ab155d1e4557ee30c5a1bf836
-
SSDEEP
12288:el3PBexJxH0cZtSlOSgjG3IWNqAvfTYxv25EN:e5PBexJJF2cSwG4ofTn5Y
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
juguly.shop - Port:
587 - Username:
[email protected] - Password:
rEBS93U9rKLG - Email To:
[email protected]
Targets
-
-
Target
88671a5d96d0741f41a8fab45db69ba8331ab55d6cc3fe0077ea3d7f30d82d39(1).xlsx
-
Size
435KB
-
MD5
adfcfa59a06bbc5a0faa8f5b0ff663fe
-
SHA1
01d4b8e70b641863727d671e9b087633f3b3a37e
-
SHA256
88671a5d96d0741f41a8fab45db69ba8331ab55d6cc3fe0077ea3d7f30d82d39
-
SHA512
0749086410e6ebaab4a23a2eb46e0bddafa134c8a704ec6b1b860a6d9016d6a6b877c2cff6be5eb5161c214fbdf731ad002fec0ab155d1e4557ee30c5a1bf836
-
SSDEEP
12288:el3PBexJxH0cZtSlOSgjG3IWNqAvfTYxv25EN:e5PBexJJF2cSwG4ofTn5Y
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Snakekeylogger family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-