General
-
Target
LAQ-PO088PDF.zip
-
Size
2.2MB
-
Sample
240624-qdf51axckm
-
MD5
fcd5f4e260803111bf9a91ef8b104303
-
SHA1
fec36cb7843997fe19af34c72af4d2d5f6d7d9ad
-
SHA256
150d9b7f85523aba23be98fc9bf2cac1fca3da5c145088189a60f0c4817f4e8e
-
SHA512
5169049c26005296d6eea7106262643493c612d9cb6cc0690249a92919cd16a62633b70c1764f6e5d70529349c9a423181556927c57ae805f58d7aaf1044681c
-
SSDEEP
49152:NPZ//2iwPULzw5N6CmGEILVacC8yzJCcfPBMm0bq0Vr2at:Nh2ik8w5N6CdEIwcC8Ikc3bgqor2e
Static task
static1
Behavioral task
behavioral1
Sample
LAQ-PO088PDF.bat
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
LAQ-PO088PDF.bat
Resource
win10v2004-20240611-en
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
uzo1919 - Password:
Computer@101
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
uzo1919 - Password:
Computer@101
Targets
-
-
Target
LAQ-PO088PDF.bat
-
Size
2.9MB
-
MD5
a65ee5594b619784ddae86580ae0023e
-
SHA1
068ab505bb49206349b08527e88fa764475dc4e3
-
SHA256
98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f
-
SHA512
fa454fb624c12a7ceac9ba230134cb63df7321dcf09f5c077d7d94d82e0220fd04222b5f1ade571eb0154c716a284ccf802d76676dd0d6063e3da441dd7c056e
-
SSDEEP
24576:qjdD5w0gCVEM/qU6ucJXtV5g+W1LAXuFyoU/Vgjt5Rxb85lepF+STTdA7jxkbLv8:2D71qdXt/3dKy4JrpFftkbWDoUAiVRTo
-
Snake Keylogger payload
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-