General

  • Target

    PO. 4500129645.pdf.exe

  • Size

    549KB

  • Sample

    220521-a6x18aeddm

  • MD5

    f7c5e33a5643b753e390d04823584f71

  • SHA1

    62b46991b702107cd1ee9871b1c1a417a3346616

  • SHA256

    dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851

  • SHA512

    c871b0597199f11b5273359b5de4d314517b1c226f99542f676f61b230b35e6dc1633356fa2cf016567757ef59cb01d8f408cf542f38aa19fd1b13e00652d94a

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5392870078:AAEZf0ajeo_PMkBddeC_JE--NP4u4367N6c/sendMessage?chat_id=1856108848

Targets

    • Target

      PO. 4500129645.pdf.exe

    • Size

      549KB

    • MD5

      f7c5e33a5643b753e390d04823584f71

    • SHA1

      62b46991b702107cd1ee9871b1c1a417a3346616

    • SHA256

      dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851

    • SHA512

      c871b0597199f11b5273359b5de4d314517b1c226f99542f676f61b230b35e6dc1633356fa2cf016567757ef59cb01d8f408cf542f38aa19fd1b13e00652d94a

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks