General
-
Target
contract of BASHAN.zip
-
Size
307KB
-
Sample
240627-t1w2hszdnb
-
MD5
3c7ee383eb6859c22d211439fdb7c8f2
-
SHA1
18bd124ba0d838762d4356fce10b17e79be9c609
-
SHA256
ba87381fa6489c00624d7fa62325afa9c9fd01e45384bf4075a858d3131bcdf8
-
SHA512
cc77182c65afc869feff2ae76a353fd53f1aa19004cbb3f42f8b9ec496f9679f1999514dbfe598ee1fea35b870aec69ba75f9664c4a0be757a0d7fcdb9648c09
-
SSDEEP
6144:pAGLRHbivDlBWNAff0/lKKgvK7J2oHF025kliICvMPKXxnQX9Gtucj:eqivrWNAffslWIJPHklHCvYWuY
Static task
static1
Behavioral task
behavioral1
Sample
contract of BASHAN.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
contract of BASHAN.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
contract of BASHAN.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
contract of BASHAN.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Targets
-
-
Target
contract of BASHAN.zip
-
Size
307KB
-
MD5
3c7ee383eb6859c22d211439fdb7c8f2
-
SHA1
18bd124ba0d838762d4356fce10b17e79be9c609
-
SHA256
ba87381fa6489c00624d7fa62325afa9c9fd01e45384bf4075a858d3131bcdf8
-
SHA512
cc77182c65afc869feff2ae76a353fd53f1aa19004cbb3f42f8b9ec496f9679f1999514dbfe598ee1fea35b870aec69ba75f9664c4a0be757a0d7fcdb9648c09
-
SSDEEP
6144:pAGLRHbivDlBWNAff0/lKKgvK7J2oHF025kliICvMPKXxnQX9Gtucj:eqivrWNAffslWIJPHklHCvYWuY
Score1/10 -
-
-
Target
contract of BASHAN.exe
-
Size
537KB
-
MD5
192a10972e9401b7626f1f6bd50de84c
-
SHA1
7d674d1abb94f2f7c54b945efdec3a5835ca8c0f
-
SHA256
7152561bebf317fd5a88c09faf839006447c182e262d826c2741cc2d09b64f2d
-
SHA512
20fd0dbe1c7f8b6f3c4d4082c70b69787c8c7f082b621745540102bdb143aa5c70ed59d14c649322f8eb4cfbf01d1201c1dfadfe2017663af9c5d9d8a519e564
-
SSDEEP
12288:fmoahaD2QsSe+fAff3hjkcj2YH0Jv/v+zLuSn:4aD2QsSe+gfxjkcy/v/+LB
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-