RFQSDCL1005C1N5STDFM01.doc

General
Target

RFQSDCL1005C1N5STDFM01.doc

Size

991KB

Sample

210122-djt5qlywqa

Score
10 /10
MD5

09d4af0b227dc3974954cc05f28bf8bc

SHA1

473e5ddb68275afba681213c7293219f93c8a7d4

SHA256

7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b

SHA512

8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689

Malware Config

Extracted

Protocol smtp
Host mail.tavmachine.com
Port 587
Username m.michy@tavmachine.com
Password G{y7.W#Ni!-A
Targets
Target

RFQSDCL1005C1N5STDFM01.doc

MD5

09d4af0b227dc3974954cc05f28bf8bc

Filesize

991KB

Score
5 /10
SHA1

473e5ddb68275afba681213c7293219f93c8a7d4

SHA256

7fe770f2a75d693076b3f2c81baa8bf27ba82d84b287bb5df381cc214b95eb6b

SHA512

8d1a0be85fb32f53975d9aabf4510690aa4561eb81aa558e2404211595ba7288bdb5798d8389d3c3fd77fe4ba7d65c999f3b92f01626a9e18d6d9d91ca976689

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • Snake Keylogger Payload

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral2

                    5/10