Ecol Sp RFQ.122113.gz

General
Target

Ecol Sp RFQ.122113.gz

Size

606KB

Sample

210611-l8wvqsr12a

Score
10 /10
MD5

9ccb9d6bb146704c793ec0d36787d8d6

SHA1

bc16362c681288f93bf5c481fc3e7890e3737e19

SHA256

96b12d371375868fc87d73454805ea2db22f27d46424808c9c3a2cd8fba03296

SHA512

27b9117969eec77f3bdfdc01c9d1c9f09d3e5859dce7e8d096cc84643290de22b2c9a240d0462bda7b6d69fb04244d1dc8ee51e40b65c1554f503d4f2e8f369c

Malware Config

Extracted

Family snakekeylogger
C2

https://api.telegram.org/bot1841252439:AAFeBNk12wAgfxXFXtqpw50JT4iCgTc-FsM/sendMessage?chat_id=-487183096

Targets
Target

Ecol Sp RFQ.122113.exe

MD5

9a2225e1b9acd802016c1d880528de49

Filesize

836KB

Score
10 /10
SHA1

0e9b0abd02fd0c321ddbd6b3140c7c3cf0fa1d9d

SHA256

38b556205aa56d97e3e6e2702bd4822b489403e3903132493893e5aced988b83

SHA512

424029d7bcd9276a7b1c920f80feda282a53f61f75bc665c5b388c5cc8b2a148489bbf1ef67dedd635c3999284145899d725188b54cff792edfbf173859395ae

Tags

Signatures

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

    Tags

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Tasks

                          static1

                          behavioral1

                          10/10