Overview

overview

10

Static

static

1

$10,500...payment.exe

windows7_x64

7

$10,500...payment.exe

windows10_x64

10

Microsoft offic-.exe

windows7_x64

7

Microsoft offic-.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    $10,500...payment.z

  • Size

    924KB

  • Sample

    211107-rgaytsfegn

  • MD5

    7e49784e06758b489351e8e3a2fa45fa

  • SHA1

    4503c64f338bef0efb52a5e8b2c50eb69f6321d0

  • SHA256

    5006f7e335419bd53914bc920c975c869f3e34dff6578d89fb5efa2ec5780ea5

  • SHA512

    bfb9e4018ea085f305038c1acd9257cc150dc97cb588bf4c1c00b2cb6ee3f3dc12f0674a9314b4abf3738cf8e2efe7a0e2270098800ae45363dcfd6db960ec47

Score
10/10
neshtasnakekeyloggercollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.eskibaghotel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    EsKibag34.!.
C2

https://api.telegram.org/bot2054539741:AAE5gWguD-A1Kc21UNA06aLNpNpz0gToBXc/sendMessage?chat_id=1947722068

Targets

    • Target

      $10,500...payment.exe

    • Size

      362KB

    • MD5

      b4503d42c881483231526eb323664d09

    • SHA1

      9a8b487d92dd811108c6389d0a44b4a732950ccc

    • SHA256

      bcdd4effb61279070652ca7ef77f7ffd5dfb9d8f59dfcea10795ea265e3eb22f

    • SHA512

      5d31d88a3165cb5d4613d3c2477b804c1c6473c203fa8ba2473aa4948f2d263316b7cdf493b36edc58719e24dd4cefd2e9aca4cc42f2cb2616b9bebb819a48fe

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Microsoft offic-.exe

    • Size

      593KB

    • MD5

      8b7f1dcf0caf3efffc01533c96a74549

    • SHA1

      09b79e350615e6c7e0a233adc626f0cf738dac80

    • SHA256

      d8dfcdaa950d6281082e4c0949da37172edf53b51f8403b1d07cfcb4325e9432

    • SHA512

      6740e42db205e9213d49096dbc9578083d5c02bd22c617cd254cfbc0a30dc44a31eed3d643380d16a3280bcc5c911234e157b6b040b319537a4b42092a14aacc

    Score
    10/10
    neshtapersistencespywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks