General

  • Target

    Proforma adjunta Nº 42037,pdf.exe

  • Size

    34KB

  • Sample

    210504-1rdlqp9abx

  • MD5

    f7565a4825eb92f2859114bb5a08b60d

  • SHA1

    83d47736d04939e1c01b3df7720109c6d5ca9f78

  • SHA256

    2b3f661e6165b5a63130acb2509821a895f0eee94e7af31fdd6abd32db3ab687

  • SHA512

    2ad41ac31f5349ca16bd6112663a7ca6dc4a9e77562ca12458a54337a779ffbb9b7b91a710cabd37944b001001fede4c803cd40e47e78393b13a162c9cf78ac4

Malware Config

Extracted

Family

oski

C2

203.159.80.72

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1761516426:AAE3Juu_v6fG9Gy1S33LdTvyz85ua-duZsk/sendMessage?chat_id=1727399585

Targets

    • Target

      Proforma adjunta Nº 42037,pdf.exe

    • Size

      34KB

    • MD5

      f7565a4825eb92f2859114bb5a08b60d

    • SHA1

      83d47736d04939e1c01b3df7720109c6d5ca9f78

    • SHA256

      2b3f661e6165b5a63130acb2509821a895f0eee94e7af31fdd6abd32db3ab687

    • SHA512

      2ad41ac31f5349ca16bd6112663a7ca6dc4a9e77562ca12458a54337a779ffbb9b7b91a710cabd37944b001001fede4c803cd40e47e78393b13a162c9cf78ac4

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks