General

  • Target

    SecuriteInfo.com.Variant.Tedy.125031.6342.7539

  • Size

    559KB

  • Sample

    220705-eaf52sdfdn

  • MD5

    fcb065417cc5d94d1eef8f1fa3799486

  • SHA1

    adec8644878384fbb7a93068aa28a1594f304fcf

  • SHA256

    4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119

  • SHA512

    cef1a45ccadc8131375addf06dd973d0abea9403753c0ca9bf6d256f07f9ba02ff1e72950976d64cc129ac35e7ff2db3b1769614259d9a1198c7aefb9d5fec95

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537

Targets

    • Target

      SecuriteInfo.com.Variant.Tedy.125031.6342.7539

    • Size

      559KB

    • MD5

      fcb065417cc5d94d1eef8f1fa3799486

    • SHA1

      adec8644878384fbb7a93068aa28a1594f304fcf

    • SHA256

      4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119

    • SHA512

      cef1a45ccadc8131375addf06dd973d0abea9403753c0ca9bf6d256f07f9ba02ff1e72950976d64cc129ac35e7ff2db3b1769614259d9a1198c7aefb9d5fec95

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks