General
-
Target
NYMPH THETIS V2402B.zip
-
Size
306KB
-
Sample
240627-vhak8s1bkc
-
MD5
6d2d2598e209a04ea8a9507946e8bfb3
-
SHA1
1c3b34e113a1399302a7add29fc1f4cba4c1c272
-
SHA256
6aa3f6881dc4470bc2cd9488d3cbf752793cc27e390fb4f4071da5b2fb4e4d33
-
SHA512
967605e11abd6e616331006c74a0959aab840e1686b952db4cec500a2ad295f362ef88b0dbd341f8e8e18caf183e1da55f98f51fb9d85f2cc6a073fdff161a43
-
SSDEEP
6144:tOV/iM7NRweN/gI5af0Q25gLVD7Yfi56/G97ye7xWicWlMzgGaBtFNUxTgb:MV/iMNRDN/75afQ52QrRFicVMnBzp
Static task
static1
Behavioral task
behavioral1
Sample
NYMPH THETIS V2402B.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
NYMPH THETIS V2402B.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NYMPH THETIS V2402B.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
NYMPH THETIS V2402B.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Targets
-
-
Target
NYMPH THETIS V2402B.zip
-
Size
306KB
-
MD5
6d2d2598e209a04ea8a9507946e8bfb3
-
SHA1
1c3b34e113a1399302a7add29fc1f4cba4c1c272
-
SHA256
6aa3f6881dc4470bc2cd9488d3cbf752793cc27e390fb4f4071da5b2fb4e4d33
-
SHA512
967605e11abd6e616331006c74a0959aab840e1686b952db4cec500a2ad295f362ef88b0dbd341f8e8e18caf183e1da55f98f51fb9d85f2cc6a073fdff161a43
-
SSDEEP
6144:tOV/iM7NRweN/gI5af0Q25gLVD7Yfi56/G97ye7xWicWlMzgGaBtFNUxTgb:MV/iMNRDN/75afQ52QrRFicVMnBzp
Score1/10 -
-
-
Target
NYMPH THETIS V2402B.exe
-
Size
537KB
-
MD5
2bb3a0278b348e2111eb424e5d554081
-
SHA1
c5e880229775d114cc5d4560f41360d999e7461a
-
SHA256
1da9c25bf39cdfdf6d448c0f4823db54848fc65e1ef41656900479f83013aa54
-
SHA512
b94412e774b3cb0fb78cc7e0abaf2645f9077635b9d7fb730c6942918c02624911db35ba55ccabcec079bbc9d15ee33997a28c7b01dc9350000971a924a3798a
-
SSDEEP
12288:/JREc4DmRRAEQbw5Is89pOpRiWsLJv/v+SLuSn:T/bYU5DCpOp8zFv/XLB
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-