General
-
Target
20122024_0925_17122024_20220830_Proteco_PTE.rar
-
Size
563KB
-
Sample
241220-ldws8svjfv
-
MD5
7fffc2822017fc7be6ac0e208955debc
-
SHA1
09283cc60541cd9aeac43ab8cac905281fe735fb
-
SHA256
14cab2ee5ae251656fcd3cb620ff766993adeec2168698db4947db4df5e9711b
-
SHA512
055c8e1d90c5be9195caae9b8ce5b34f02187483b9d12bda22533887a252aa21da2dde91a6ccd64cb065c037f02a6318bd3f0148c5837d84999215cef7b76343
-
SSDEEP
12288:gq9i88sH1vexSzMIOpZVTyt/JhnrFJBO7BTdaqpVZGTJZm:piWZeKUpfOt/zZJEdaq8TJZm
Static task
static1
Behavioral task
behavioral1
Sample
20220830_Proteco_PTE.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20220830_Proteco_PTE.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
webmail.camaso.com.mx - Port:
587 - Username:
[email protected] - Password:
Camasomayo2022 - Email To:
[email protected]
Targets
-
-
Target
20220830_Proteco_PTE.exe
-
Size
832KB
-
MD5
1549d8cadb851c21cfbb665f4bb3005c
-
SHA1
a428dba079c5a84c1987cfaee96a72728028a171
-
SHA256
39e1a095245396ac722157902ce0910bd16bc8381af35f69f9a5921a766929fa
-
SHA512
db33659e02d8d05e6730072db839d1e290ed198f2853ecf278a1bf104f6a6aa5de29c9a5da7f6f7a547192b10bd95198d466d509bceebe6a6bb0fe84de42856e
-
SSDEEP
12288:9kyRkCyVplbTiTtsE8QiUpitpgizZkBpeC2CROPMMPku+l0CPPSOdAA:yyZyOTz46izZQpeC24OPDPd+pSsA
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2