Sale_Contract.com.exe

General
Target

Sale_Contract.com.exe

Size

834KB

Sample

210121-d4qczq1dds

Score
10 /10
MD5

82da026cdda027fa16a19d91794c5f9e

SHA1

354c3df735d48efaba85680367a1bcb8af5e1c7d

SHA256

f8d16a2a7da4ed223329f2bb59f3e0296b6e3b36dee8f7e40a4c0d276a83032d

SHA512

d96994ca3f771a7e31ef7abfdb27526fd8a5c30e18255a2457831d70fdec9e9b4017c3e977de2a1c801112cd450eff7140642d45d527378e4bc6e6c1ba2ca9af

Malware Config

Extracted

Protocol smtp
Host smtp.yandex.com
Port 587
Username smt.treat@yandex.com
Password WyhjVTBX5hjrgu7
Targets
Target

Sale_Contract.com.exe

MD5

82da026cdda027fa16a19d91794c5f9e

Filesize

834KB

Score
10 /10
SHA1

354c3df735d48efaba85680367a1bcb8af5e1c7d

SHA256

f8d16a2a7da4ed223329f2bb59f3e0296b6e3b36dee8f7e40a4c0d276a83032d

SHA512

d96994ca3f771a7e31ef7abfdb27526fd8a5c30e18255a2457831d70fdec9e9b4017c3e977de2a1c801112cd450eff7140642d45d527378e4bc6e6c1ba2ca9af

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • Snake Keylogger Payload

  • Drops startup file

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral2

                        10/10