General

  • Target

    PURCHASE ORDER - XIFFA55,pdf.exe

  • Size

    692KB

  • Sample

    210408-bmb74ynaen

  • MD5

    482d53033495eae28d1fac110da7c444

  • SHA1

    47b22902f521a36b2e2fca3ff3f5bbe53ffc575a

  • SHA256

    d87773d19e7e34fb8951d610e692a40b76fd8d7aedf06ba96e4ea8acfa8147e1

  • SHA512

    d5d22cf9b46688591bc1471617fef337ec502a217ede686f66b06dc9e636141e7b7c710437bedec4a10f108ea9b3f3f89ecfdee1069fce028ee27383fde568a3

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1791466927:AAHD_mKnN05jD74hk8VEfBe-NORCSbM6oaM/sendMessage?chat_id=1413771094

Targets

    • Target

      PURCHASE ORDER - XIFFA55,pdf.exe

    • Size

      692KB

    • MD5

      482d53033495eae28d1fac110da7c444

    • SHA1

      47b22902f521a36b2e2fca3ff3f5bbe53ffc575a

    • SHA256

      d87773d19e7e34fb8951d610e692a40b76fd8d7aedf06ba96e4ea8acfa8147e1

    • SHA512

      d5d22cf9b46688591bc1471617fef337ec502a217ede686f66b06dc9e636141e7b7c710437bedec4a10f108ea9b3f3f89ecfdee1069fce028ee27383fde568a3

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks