General
-
Target
AWB15062022.js
-
Size
512KB
-
Sample
220616-hel4msfcbl
-
MD5
7e151e208de35b5a41db278b3cf0c5b3
-
SHA1
65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b
-
SHA256
c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534
-
SHA512
04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861
Targets
-
-
Target
AWB15062022.js
-
Size
512KB
-
MD5
7e151e208de35b5a41db278b3cf0c5b3
-
SHA1
65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b
-
SHA256
c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534
-
SHA512
04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-