General

  • Target

    Request for quotation.pdf.exe

  • Size

    833KB

  • Sample

    210121-sg2n5hlry6

  • MD5

    0a6a9a6952d0843b4e30de450fc6f4dc

  • SHA1

    2a0e41b31f4ad88bfc01da061580823291a79e4f

  • SHA256

    2a14b5270f533a8a0ee7448977d31be369f3d54ca661e75dabf8561e8581751b

  • SHA512

    e5b6eb3c3b5fea0440086decb37c7e08d686e69dae8449d9af33293db2af16f8637eb671b07141e13208e2543c1104326999789574b3f2bfa93bf856cc32f967

Malware Config

Targets

    • Target

      Request for quotation.pdf.exe

    • Size

      833KB

    • MD5

      0a6a9a6952d0843b4e30de450fc6f4dc

    • SHA1

      2a0e41b31f4ad88bfc01da061580823291a79e4f

    • SHA256

      2a14b5270f533a8a0ee7448977d31be369f3d54ca661e75dabf8561e8581751b

    • SHA512

      e5b6eb3c3b5fea0440086decb37c7e08d686e69dae8449d9af33293db2af16f8637eb671b07141e13208e2543c1104326999789574b3f2bfa93bf856cc32f967

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks