General

  • Target

    0076545678000.exe

  • Size

    1.0MB

  • Sample

    220705-r36ydsabhk

  • MD5

    9bda8e2707dc9b3ca9b1c95981d144b1

  • SHA1

    aab28e64faf476b5387249452a72e352cc445cf9

  • SHA256

    74e63c84e986d1f2bc04a315d6232960b99a0148c215c04fa40de78b17a5fa9c

  • SHA512

    012ccdaa448e5d01a4f485479be40540e00d7d75a566b48df2d91cecca9d98fd35d340b9b26f1bb0cd79537b28070e43c56c72d93bb0b7746e323f8475a1894f

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5476629412:AAGbkcFsGq72YxKoGZjVmRBskss9nHikjMc/sendMessage?chat_id=5594190904

Targets

    • Target

      0076545678000.exe

    • Size

      1.0MB

    • MD5

      9bda8e2707dc9b3ca9b1c95981d144b1

    • SHA1

      aab28e64faf476b5387249452a72e352cc445cf9

    • SHA256

      74e63c84e986d1f2bc04a315d6232960b99a0148c215c04fa40de78b17a5fa9c

    • SHA512

      012ccdaa448e5d01a4f485479be40540e00d7d75a566b48df2d91cecca9d98fd35d340b9b26f1bb0cd79537b28070e43c56c72d93bb0b7746e323f8475a1894f

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Downloads MZ/PE file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks