General
-
Target
Bank Transfer-April Due pdf.exe
-
Size
926KB
-
Sample
210618-4kjwflgjxj
-
MD5
1ba9f0cff517d4f42fd88857de31f27b
-
SHA1
59f33cd5d80f850a6de452c026e6d937217b9cff
-
SHA256
04253e566268069d633182f191b77a0f0f994d907da2f3512dbe344576baec06
-
SHA512
d843ba0c998de4e068dcb728aea58d4d1511dcf71ccb6de92ef41c45abaa186e5dd49f347cbdf1298ca90a570328a4ff927dbf59c8f87aa4e5b22f4361b363e0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.jrtlndia.com - Port:
587 - Username:
tsadmin@jrtlndia.com - Password:
CNGKwKI7
Targets
-
-
Target
Bank Transfer-April Due pdf.exe
-
Size
926KB
-
MD5
1ba9f0cff517d4f42fd88857de31f27b
-
SHA1
59f33cd5d80f850a6de452c026e6d937217b9cff
-
SHA256
04253e566268069d633182f191b77a0f0f994d907da2f3512dbe344576baec06
-
SHA512
d843ba0c998de4e068dcb728aea58d4d1511dcf71ccb6de92ef41c45abaa186e5dd49f347cbdf1298ca90a570328a4ff927dbf59c8f87aa4e5b22f4361b363e0
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-