General

  • Target

    56516426-056C-4DBA-984B-979F68AB8D188.scr

  • Size

    2.0MB

  • Sample

    220806-hxneeseda5

  • MD5

    635daf270aefeef62956e548bec3dfa7

  • SHA1

    5da8ce1ce4c52f70a352915d7d9c4e801d82da14

  • SHA256

    a862027201de12628e1b10ac0683ce7ef2cc56e8b758e7db7b2b0bc29e192839

  • SHA512

    21c5bb9ebf7b91224beee05c6a641e47de4952748728296da944ba14989f17e0b545d02c3d30176b23f2328809e9ff6f246e527bc56c42baf48ed63f87afb7e3

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5335728373:AAE0XSYzSQbblHhLHkfzUBSGGlJlBP1LGLA/sendMessage?chat_id=5563565662

Targets

    • Target

      56516426-056C-4DBA-984B-979F68AB8D188.scr

    • Size

      2.0MB

    • MD5

      635daf270aefeef62956e548bec3dfa7

    • SHA1

      5da8ce1ce4c52f70a352915d7d9c4e801d82da14

    • SHA256

      a862027201de12628e1b10ac0683ce7ef2cc56e8b758e7db7b2b0bc29e192839

    • SHA512

      21c5bb9ebf7b91224beee05c6a641e47de4952748728296da944ba14989f17e0b545d02c3d30176b23f2328809e9ff6f246e527bc56c42baf48ed63f87afb7e3

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks