General
-
Target
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce.exe
-
Size
546KB
-
Sample
240627-b6yhesygml
-
MD5
06c135c6806d204db854b2b303f711e4
-
SHA1
7034a07bcd5c2855c2a906f1c96a0490dda51a26
-
SHA256
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce
-
SHA512
b935c9c0415a7abc778d3cf0b374a2604ebd0eb33b3223412c9ffc9d320b3cffed381b0d98d4350bdd0af05f4b7c3f050b90305d102e36c60891a9bec9a6ee51
-
SSDEEP
12288:rpaLt72wtNGZYqnDLPM/en5IDxDhzkz6C3jYCNVyvUGdABV:KqDLTQFW93jYCqAB
Static task
static1
Behavioral task
behavioral1
Sample
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.darwishgruop.com/ - Port:
21 - Username:
[email protected] - Password:
Uvob2G1Tc73ZCus02X
Targets
-
-
Target
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce.exe
-
Size
546KB
-
MD5
06c135c6806d204db854b2b303f711e4
-
SHA1
7034a07bcd5c2855c2a906f1c96a0490dda51a26
-
SHA256
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce
-
SHA512
b935c9c0415a7abc778d3cf0b374a2604ebd0eb33b3223412c9ffc9d320b3cffed381b0d98d4350bdd0af05f4b7c3f050b90305d102e36c60891a9bec9a6ee51
-
SSDEEP
12288:rpaLt72wtNGZYqnDLPM/en5IDxDhzkz6C3jYCNVyvUGdABV:KqDLTQFW93jYCqAB
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-