General
-
Target
Payment Confirmation..docm
-
Size
15KB
-
Sample
241209-s1b6nsxleq
-
MD5
5b539c1cf933b4b4158552ce25f708e1
-
SHA1
8b322500fa186ca8f6e2fe0494214ad2b527d8d0
-
SHA256
12d47f62ed1f5d60193a3a3099873286365c15dc6bf9df17aa250e1f7660c36c
-
SHA512
66296c5eaec5ab37c920780d0906082e808cde8a99c4cf1802c2d8013b722c324cf345e7af9fe8f971b100ae0d4326c3717eebe80cda1fe8715b6369af5c3f0a
-
SSDEEP
384:/imtLGAcgqN+v6+iAn0i13LHHOXv+iT3eZaakbM:/LL9cgqa3rv13jOXGiT3i
Behavioral task
behavioral1
Sample
Payment Confirmation..docm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment Confirmation..docm
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.dap.vn - Port:
587 - Username:
[email protected] - Password:
KhAnh110886 - Email To:
[email protected]
Targets
-
-
Target
Payment Confirmation..docm
-
Size
15KB
-
MD5
5b539c1cf933b4b4158552ce25f708e1
-
SHA1
8b322500fa186ca8f6e2fe0494214ad2b527d8d0
-
SHA256
12d47f62ed1f5d60193a3a3099873286365c15dc6bf9df17aa250e1f7660c36c
-
SHA512
66296c5eaec5ab37c920780d0906082e808cde8a99c4cf1802c2d8013b722c324cf345e7af9fe8f971b100ae0d4326c3717eebe80cda1fe8715b6369af5c3f0a
-
SSDEEP
384:/imtLGAcgqN+v6+iAn0i13LHHOXv+iT3eZaakbM:/LL9cgqa3rv13jOXGiT3i
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-