General
-
Target
Product list Quotation.zip
-
Size
307KB
-
Sample
240627-tvv72azbqd
-
MD5
93be4453708b96f7cfec48745fdb0130
-
SHA1
bc342be5a50b5d54eb93286dde25a9ca38c334b6
-
SHA256
15d8bddbe38f971e40e7dabd625d8400e89d71f0057fd3b2a5ca52a86c578117
-
SHA512
b1c36851e3c7013993b731050f2d822e27c103cb180a96bbaa21b7a2d6d3ced1af50b18754b28ccd07c1582badcf6b85a53c58e1640df3d53ee3a5cafcd0c1a3
-
SSDEEP
6144:AOrOvqYpYTMwztNHbUNx3U4asqgBoXb1QDM6ut19b6WTZ:frQCTMktJik4aIU2DvuhD
Static task
static1
Behavioral task
behavioral1
Sample
Product list Quotation.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Product list Quotation.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Product list Quotation.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Product list Quotation.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Targets
-
-
Target
Product list Quotation.zip
-
Size
307KB
-
MD5
93be4453708b96f7cfec48745fdb0130
-
SHA1
bc342be5a50b5d54eb93286dde25a9ca38c334b6
-
SHA256
15d8bddbe38f971e40e7dabd625d8400e89d71f0057fd3b2a5ca52a86c578117
-
SHA512
b1c36851e3c7013993b731050f2d822e27c103cb180a96bbaa21b7a2d6d3ced1af50b18754b28ccd07c1582badcf6b85a53c58e1640df3d53ee3a5cafcd0c1a3
-
SSDEEP
6144:AOrOvqYpYTMwztNHbUNx3U4asqgBoXb1QDM6ut19b6WTZ:frQCTMktJik4aIU2DvuhD
Score1/10 -
-
-
Target
Product list Quotation.exe
-
Size
537KB
-
MD5
686765a9837993bcd537f331618ca760
-
SHA1
076f9efc6fec1075f83adbfcd5c659ccde48341d
-
SHA256
63dbe7d557dc8b87937890df261f61ee69b5c6354aed54d5611baa3e93f66e8e
-
SHA512
afacb63926fafc52b937194ea2c51ea147157c88ceaf11b37409a1f0faf97121e93711d1acf9be2eb20d2bf7fd7fda8b5275735e4b1488b5d80b7830343ff770
-
SSDEEP
12288:/lxGPX90OoD9WTcAycaYUDXKrDU0JxxJv/v+FLuSn:m+9WISa1JMxvv/gLB
Score10/10-
Snake Keylogger payload
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-