Description
Keylogger and Infostealer first seen in November 2020.
RFQSDCL1005C1N5STDFM01.doc
General
Target
Size
Sample
RFQSDCL1005C1N5STDFM01.doc
991KB
210122-djt5qlywqa
Score
10 /10
MD5
SHA1
SHA256
SHA512
09d4af0b227dc3974954cc05f28bf8bc
473e5ddb68275afba681213c7293219f93c8a7d4
7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b
8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689
Malware Config
Extracted
| Protocol | smtp |
| Host | mail.tavmachine.com |
| Port | 587 |
| Username | m.michy@tavmachine.com |
| Password | G{y7.W#Ni!-A |
Targets
Target
MD5
Filesize
RFQSDCL1005C1N5STDFM01.doc
09d4af0b227dc3974954cc05f28bf8bc
991KB
Score
5 /10
SHA1
SHA256
SHA512
473e5ddb68275afba681213c7293219f93c8a7d4
7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b
8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689
Tags
Signatures
-
Snake Keylogger
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Tags
TTPs
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks