General

  • Target

    Presupuesto urgente PST56654256778982, pdf.exe

  • Size

    852KB

  • Sample

    210504-bpyyxrws3a

  • MD5

    d6b608c55871cf8d00f5daacd3d8c858

  • SHA1

    3a53fd8d9d5e5b136aea4083f6881a18c59414ef

  • SHA256

    acb59cfe4c0dcdfdbc835fce99582cae54d6d3afb2233eab94a0a22bfd2c2dd7

  • SHA512

    de560ca58c73b30d40f609b2982b60443c962e714810636b2cff9c4a318b39cf3acfe48ddbd4d0d37569a858a54d0525e5900772e5cbb1fba0c942c4b58bd274

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.endovision.xyz
  • Port:
    587
  • Username:
    info@endovision.xyz
  • Password:
    r)($czxJs0

Targets

    • Target

      Presupuesto urgente PST56654256778982, pdf.exe

    • Size

      852KB

    • MD5

      d6b608c55871cf8d00f5daacd3d8c858

    • SHA1

      3a53fd8d9d5e5b136aea4083f6881a18c59414ef

    • SHA256

      acb59cfe4c0dcdfdbc835fce99582cae54d6d3afb2233eab94a0a22bfd2c2dd7

    • SHA512

      de560ca58c73b30d40f609b2982b60443c962e714810636b2cff9c4a318b39cf3acfe48ddbd4d0d37569a858a54d0525e5900772e5cbb1fba0c942c4b58bd274

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Tasks