General
-
Target
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
-
Size
16KB
-
Sample
240705-bxm1bs1gkg
-
MD5
d5ab2de292b70d3a7f0fc16b236c325b
-
SHA1
b7e498349dae307fdf4d08dfb5de5eccba4ac3d5
-
SHA256
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f
-
SHA512
2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee
-
SSDEEP
384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI
Static task
static1
Behavioral task
behavioral1
Sample
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
Resource
win10v2004-20240704-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.ebizindia.com - Port:
587 - Username:
[email protected] - Password:
Duro Mausam
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.ebizindia.com - Port:
587 - Username:
[email protected] - Password:
Duro Mausam
Targets
-
-
Target
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
-
Size
16KB
-
MD5
d5ab2de292b70d3a7f0fc16b236c325b
-
SHA1
b7e498349dae307fdf4d08dfb5de5eccba4ac3d5
-
SHA256
194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f
-
SHA512
2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee
-
SSDEEP
384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-