General

  • Target

    PURCHASE ORDER E3007921.EXE

  • Size

    31KB

  • Sample

    210511-phj2fe1pkx

  • MD5

    dac3ac141a3e0abb27839284a1df864c

  • SHA1

    8802717f07d933b2478b0cae6f410cce79b9f0a9

  • SHA256

    9af68d42d1d36c20d81306679715a6f7e3d427d8c039344653f4ec6b43cd7ac5

  • SHA512

    3d984a6a4d689d950d8a3e55b2ec6901f4525ae8e7cce41be7ee0267cd9808da20c30ff9de43715b57b613a946215bf37aea999e5ac79e2ab1d7b63fc9d994f0

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1791466927:AAHD_mKnN05jD74hk8VEfBe-NORCSbM6oaM/sendMessage?chat_id=1413771094

Targets

    • Target

      PURCHASE ORDER E3007921.EXE

    • Size

      31KB

    • MD5

      dac3ac141a3e0abb27839284a1df864c

    • SHA1

      8802717f07d933b2478b0cae6f410cce79b9f0a9

    • SHA256

      9af68d42d1d36c20d81306679715a6f7e3d427d8c039344653f4ec6b43cd7ac5

    • SHA512

      3d984a6a4d689d950d8a3e55b2ec6901f4525ae8e7cce41be7ee0267cd9808da20c30ff9de43715b57b613a946215bf37aea999e5ac79e2ab1d7b63fc9d994f0

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Downloads MZ/PE file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks