General

  • Target

    Po.0087654112.exe

  • Size

    769KB

  • Sample

    220704-ve652aadan

  • MD5

    e16a257a2e79f06962e2946545b57967

  • SHA1

    9bde3b985a877e21832497d48442012ea31471ff

  • SHA256

    57880d7e6823f9f978c7bf24260a35e8e62eaca02ba5d07832257529e9707b3c

  • SHA512

    8b1a20a4e82ff91b5ee8964189d21dad23836fa3c39d21b6036d84f1a620b7e5b2420e27604063a1a9d2fde74f55c86236f7ae1e233b9d3aa73963c163513a87

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gaoyang-county-ycm.com
  • Port:
    26
  • Username:
    info@gaoyang-county-ycm.com
  • Password:
    nb34m5bf
  • Email To:
    info@gaoyang-county-ycm.com

Targets

    • Target

      Po.0087654112.exe

    • Size

      769KB

    • MD5

      e16a257a2e79f06962e2946545b57967

    • SHA1

      9bde3b985a877e21832497d48442012ea31471ff

    • SHA256

      57880d7e6823f9f978c7bf24260a35e8e62eaca02ba5d07832257529e9707b3c

    • SHA512

      8b1a20a4e82ff91b5ee8964189d21dad23836fa3c39d21b6036d84f1a620b7e5b2420e27604063a1a9d2fde74f55c86236f7ae1e233b9d3aa73963c163513a87

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks