General

  • Target

    RFQSDCL1005C1N5STDFM01.doc

  • Size

    991KB

  • Sample

    210122-djt5qlywqa

  • MD5

    09d4af0b227dc3974954cc05f28bf8bc

  • SHA1

    473e5ddb68275afba681213c7293219f93c8a7d4

  • SHA256

    7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b

  • SHA512

    8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.tavmachine.com
  • Port:
    587
  • Username:
    m.michy@tavmachine.com
  • Password:
    G{y7.W#Ni!-A

Targets

    • Target

      RFQSDCL1005C1N5STDFM01.doc

    • Size

      991KB

    • MD5

      09d4af0b227dc3974954cc05f28bf8bc

    • SHA1

      473e5ddb68275afba681213c7293219f93c8a7d4

    • SHA256

      7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b

    • SHA512

      8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks