General
-
Target
3f8d58b5e8d799b4bed5863564c2253873c2a8c0a3009d33cb358989dee2bfe8
-
Size
674KB
-
Sample
241128-hxhtyawjhl
-
MD5
339a4a13b9bb127acad90d7eda00d193
-
SHA1
52af92f0989a1ce9907d22d39f2123186439eb0d
-
SHA256
3f8d58b5e8d799b4bed5863564c2253873c2a8c0a3009d33cb358989dee2bfe8
-
SHA512
6eaa3637dfa1d44af11b602feeaf37878a1040fd7efb41e854b57ea227896d2a9e05c02eb56391e40f69affd7248994cb2c59979d0906b02e96d27ad87c3c657
-
SSDEEP
12288:bBYqv8pAdH0qjitzztZVOfMjBS2icP6Q9ONgcG6vsfszMYYBsidFoFcgjUSx:f03qjitZOMjBZdCghk/QdVsXx
Static task
static1
Behavioral task
behavioral1
Sample
MB268382625AE.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MB268382625AE.pdf.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://cpanel2-nl.thcservers.com/ - Port:
21 - Username:
[email protected] - Password:
Uvob2G1Tc73ZCus02X
Targets
-
-
Target
MB268382625AE.pdf.exe
-
Size
739KB
-
MD5
17e2b9c140aff9e3922ecba5a9f61372
-
SHA1
9d5fc910c29d028973957bb1e4c8444213bb765e
-
SHA256
feb88db931480ec059519f47eabc2f1e1365e08e8e412c62efb1e6683cd38565
-
SHA512
2d15847f0418c52b4163cd338c5b51bafc12e98da7fad897dbffc7d6ad5b35ed5c616539fde439cf1cd42cd18902da28af4a4f9e7da8c990dd7147d105489e62
-
SSDEEP
12288:52sv+SGjpA3yKUUo6aoIi5xFV60+Q3/gVOpD4G1c0icP6A9ONDJFc7TMVCfCvzCf:52xjy95xvH+Q3mcD4GB3CDJqhKLCnYnk
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2