General

  • Target

    087c76678dc2e340364a57194aa808ec.exe

  • Size

    579KB

  • Sample

    220704-wjkchaaedm

  • MD5

    087c76678dc2e340364a57194aa808ec

  • SHA1

    8ab9b005110c41be5c3c23b81f7702300c7f3e13

  • SHA256

    82333a581887b69a67e85e98f80a40af27f774b10999fe92d202f4e36f5e1b57

  • SHA512

    3682f04a4581427b1cd6e6fcd5bbf65cbc6c8a3b323e6913202429e76261f3d0e41825af6dbdc45254746c472a2143f279185851854f74d6bd362870961e03ce

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5125489580:AAG9rJipU-Qp9bVmgyzvimlz5gpATRgg5qo/sendMessage?chat_id=5149913163

Targets

    • Target

      087c76678dc2e340364a57194aa808ec.exe

    • Size

      579KB

    • MD5

      087c76678dc2e340364a57194aa808ec

    • SHA1

      8ab9b005110c41be5c3c23b81f7702300c7f3e13

    • SHA256

      82333a581887b69a67e85e98f80a40af27f774b10999fe92d202f4e36f5e1b57

    • SHA512

      3682f04a4581427b1cd6e6fcd5bbf65cbc6c8a3b323e6913202429e76261f3d0e41825af6dbdc45254746c472a2143f279185851854f74d6bd362870961e03ce

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks