General
-
Target
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41.exe
-
Size
624KB
-
Sample
241129-ddjjxa1kbz
-
MD5
00fd43556fc34aca3e863643aeaf85de
-
SHA1
8af3d4c96ae1e7f048343359c935d40f5055a7f5
-
SHA256
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41
-
SHA512
d81ebdd8f5bfa01570b9641dc1f24bac393a340a5bda21733bff21659a0ad8c3b0a94beeaa9d5bbe5e72c0bdb10e483d564cfc1c44f417db4cf977b9ebbd6318
-
SSDEEP
12288:o7o1zGksv+SGjpA3yKUUo6aJCpv2UkK8zzdfRUOVpXHMQWc1cIWcwUf4CqZu2y6P:d1zGUxjGc9KaxfjpXMQWacowUwXk2y6s
Static task
static1
Behavioral task
behavioral1
Sample
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://cpanel2-nl.thcservers.com/ - Port:
21 - Username:
Yx74dJ0TP3M= - Password:
Uvob2G1Tc73ZCus02X
Targets
-
-
Target
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41.exe
-
Size
624KB
-
MD5
00fd43556fc34aca3e863643aeaf85de
-
SHA1
8af3d4c96ae1e7f048343359c935d40f5055a7f5
-
SHA256
2ef8e6a7e290f566d0e90f72b8567fe92952dcf6a0f29c673c64794b7d799c41
-
SHA512
d81ebdd8f5bfa01570b9641dc1f24bac393a340a5bda21733bff21659a0ad8c3b0a94beeaa9d5bbe5e72c0bdb10e483d564cfc1c44f417db4cf977b9ebbd6318
-
SSDEEP
12288:o7o1zGksv+SGjpA3yKUUo6aJCpv2UkK8zzdfRUOVpXHMQWc1cIWcwUf4CqZu2y6P:d1zGUxjGc9KaxfjpXMQWacowUwXk2y6s
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-