General

  • Target

    WQ090090.exe

  • Size

    630KB

  • Sample

    210618-8yqqwwmhfa

  • MD5

    63e701517f119a37e2bfb0326f2f7851

  • SHA1

    aeccae0b7c91487fa9a403abd4afdc37653d88a4

  • SHA256

    d373c0339517c98ee8668e152f5e0987acb36409fb33026d0bab053b84ac6d89

  • SHA512

    02e24b6ed7d71051416919b68cb7b65238ed5ac6e03a3478b9e7f1ccb43319cf4d3028b8a3151e2f6fd9911fc963c89f9a35ef276ceb57099d0aa310b828670c

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783

Targets

    • Target

      WQ090090.exe

    • Size

      630KB

    • MD5

      63e701517f119a37e2bfb0326f2f7851

    • SHA1

      aeccae0b7c91487fa9a403abd4afdc37653d88a4

    • SHA256

      d373c0339517c98ee8668e152f5e0987acb36409fb33026d0bab053b84ac6d89

    • SHA512

      02e24b6ed7d71051416919b68cb7b65238ed5ac6e03a3478b9e7f1ccb43319cf4d3028b8a3151e2f6fd9911fc963c89f9a35ef276ceb57099d0aa310b828670c

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks