General

  • Target

    Purchase_Order_11_19_20.exe

  • Size

    715KB

  • Sample

    201119-mjqrcb4cz2

  • MD5

    e492155e4d4cab9522ef4144234c8069

  • SHA1

    97694934fc9e0caf9efb751e687ca7290f79ff2d

  • SHA256

    18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef

  • SHA512

    094a8f459e10e20540cd0fc2f4cc8445aa7ac1b720eed0636fb8baf24cdda39a3f7b20b2e8d964bc6f2f15fd95847d721e77a1056594cd0d5ccd907c76812217

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.zavidovici.ba
  • Port:
    587
  • Username:
    opcina.zavidovici@zavidovici.ba
  • Password:
    12Opc21!

Targets

    • Target

      Purchase_Order_11_19_20.exe

    • Size

      715KB

    • MD5

      e492155e4d4cab9522ef4144234c8069

    • SHA1

      97694934fc9e0caf9efb751e687ca7290f79ff2d

    • SHA256

      18d86210ca1721632ee4a17030313ca4c9f60aa0657d83a6cc576b9889558eef

    • SHA512

      094a8f459e10e20540cd0fc2f4cc8445aa7ac1b720eed0636fb8baf24cdda39a3f7b20b2e8d964bc6f2f15fd95847d721e77a1056594cd0d5ccd907c76812217

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks