SecuriteInfo.com.Trojan.PackedNET.507.9142.2207

General
Target

SecuriteInfo.com.Trojan.PackedNET.507.9142.2207

Size

751KB

Sample

210122-b8r7xkaz9a

Score
10 /10
MD5

c7b57a6ecc4533c754e1c04789e242d0

SHA1

c252dbd1653bbfc5bb2941b8965c9daf41e066f6

SHA256

8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

SHA512

95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

Malware Config

Extracted

Protocol smtp
Host mail.tavmachine.com
Port 587
Username m.michy@tavmachine.com
Password G{y7.W#Ni!-A
Targets
Target

SecuriteInfo.com.Trojan.PackedNET.507.9142.2207

MD5

c7b57a6ecc4533c754e1c04789e242d0

Filesize

751KB

Score
10 /10
SHA1

c252dbd1653bbfc5bb2941b8965c9daf41e066f6

SHA256

8b720e30117cfb204a068bfea7b482d1dfef2966fa32ecc2cabc3fe488674258

SHA512

95c3fff30f403addb4bbd74e86349303d14fa7ffe78c0e511145ac56b7b498842c774ff0e3d8636f3cee9dfb8b7cf4c80ebbce991e2d572afecf3bf593afcac8

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • Snake Keylogger Payload

  • Drops startup file

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral2

                        10/10