General
-
Target
VESSEL Q88.exe
-
Size
189KB
-
Sample
220704-jcdj6afcfp
-
MD5
09831ae5e1d71e46b17c11453103f0d2
-
SHA1
051535fcd7a71c6a68b1bcb782479b1c73dc69fb
-
SHA256
73e4f070272e4a09024944c9efd73070c6c8762f98db9f6ddecda7244a50ceca
-
SHA512
ab6fb2a5e1cc54fd8f302e642cb6ed677cc7835288e1f4d1978ae518ee2eaacc45337bd18388d55ce21b0bd28db726adc9eec6c183d68e30204739244f2d9e48
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1897716112:AAEAtOCkOV8umHBB93Og24bkiIdUKReGK44/sendMessage?chat_id=1745211648
Targets
-
-
Target
VESSEL Q88.exe
-
Size
189KB
-
MD5
09831ae5e1d71e46b17c11453103f0d2
-
SHA1
051535fcd7a71c6a68b1bcb782479b1c73dc69fb
-
SHA256
73e4f070272e4a09024944c9efd73070c6c8762f98db9f6ddecda7244a50ceca
-
SHA512
ab6fb2a5e1cc54fd8f302e642cb6ed677cc7835288e1f4d1978ae518ee2eaacc45337bd18388d55ce21b0bd28db726adc9eec6c183d68e30204739244f2d9e48
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-