General
-
Target
ATTACHED COPY..docx
-
Size
16KB
-
Sample
240628-che7lsyakq
-
MD5
10c774db881a877ea4c25b62d754b77a
-
SHA1
fea962e22d25df7d72b3121c60c7820e7ac84a92
-
SHA256
d1c19d7d9e7c1d0d192b7cef272688627f19dd965627a342a450fc15c18ac477
-
SHA512
c9b530730243a869e25f77219cc62789cb4ce1b9efb9ebc1834f2738502a5fd0652825860d3b39ffe16c2b1f2b2448d4a6b1d0277eb591e34acedf42d3fb89e0
-
SSDEEP
384:gyXc0x2WXYs8PL8wi4OEwH8TIbE91r2fRcJYLvi/ma/nvnx:gccd/5P3DOqnYJaKvama/p
Static task
static1
Behavioral task
behavioral1
Sample
ATTACHED COPY..docx
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
ATTACHED COPY..docx
Resource
win10v2004-20240611-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.artefes.com - Port:
587 - Username:
[email protected] - Password:
ArtEfes4765*+
Targets
-
-
Target
ATTACHED COPY..docx
-
Size
16KB
-
MD5
10c774db881a877ea4c25b62d754b77a
-
SHA1
fea962e22d25df7d72b3121c60c7820e7ac84a92
-
SHA256
d1c19d7d9e7c1d0d192b7cef272688627f19dd965627a342a450fc15c18ac477
-
SHA512
c9b530730243a869e25f77219cc62789cb4ce1b9efb9ebc1834f2738502a5fd0652825860d3b39ffe16c2b1f2b2448d4a6b1d0277eb591e34acedf42d3fb89e0
-
SSDEEP
384:gyXc0x2WXYs8PL8wi4OEwH8TIbE91r2fRcJYLvi/ma/nvnx:gccd/5P3DOqnYJaKvama/p
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-