General
-
Target
Listed Product.r01
-
Size
353KB
-
Sample
211020-edv4dagee9
-
MD5
c18b7703de340288eb3952b59097b89e
-
SHA1
54d04a1663f4b7a028a0ea8b91e7a2a517c39a89
-
SHA256
afa364aae5e77c66a62213774e0eac0680e24b45e504f85ed284b5b1b9e8fc32
-
SHA512
793f4349046583cc0357bfc09f2b712ea83a5f6d0d5f9c6aa0e6779235fd91160f1c5eace56409a2d57dd21a9ded19c4babfa916950fe61c664e30b4619e0d74
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendMessage?chat_id=1063661839
Targets
-
-
Target
Listed Product.exe
-
Size
445KB
-
MD5
a0d71ca643ab39c23b18e2f45282a9a4
-
SHA1
3378802a61cce072963789f8e79cbf3118d9443b
-
SHA256
44ebf617496d7c7d6fdae0dcdac3d1964cd28af093dd19c3e6b897af83b3d9ea
-
SHA512
b59717c45eef4015e6cc04c6651da1f69baad79feed2a473af13717f5dd2ae459e50d27ce25d325d4233a5f6a7b27926f485e69d37b2bd7d79a704f6fdf19d45
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-