General

  • Target

    PO#4500373371.exe

  • Size

    1.0MB

  • Sample

    220930-k7bjqaeacm

  • MD5

    3f37c61883a95bde5e894bed43d4b5f3

  • SHA1

    bb76d28f611a7050a00b0dd7ee0c87b45f2aac19

  • SHA256

    e0be66e9fe306de304b7f7b9227c124b9eeb9b0cf4afca86f64bdd057477ac2f

  • SHA512

    7da6709a6d36c9b3967cd9a1c5e930b07cca2b69858591ba3dd7c1be2a97bd4ecd8783d53b643834145caf23f4fcfda36994ffc9f5920c288d39901a323c9ae1

  • SSDEEP

    12288:m5+PQKFgirpg8kFXyvi8FV4D7oyzX1dMn7IDuEZONyLDQRS7a9:mKFxdn3K83k7oqMnEDV

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5587666659:AAG8NrrXJQs__dhk8nLJBFOspz2my8OVpX0/sendMessage?chat_id=5569775004

Targets

    • Target

      PO#4500373371.exe

    • Size

      1.0MB

    • MD5

      3f37c61883a95bde5e894bed43d4b5f3

    • SHA1

      bb76d28f611a7050a00b0dd7ee0c87b45f2aac19

    • SHA256

      e0be66e9fe306de304b7f7b9227c124b9eeb9b0cf4afca86f64bdd057477ac2f

    • SHA512

      7da6709a6d36c9b3967cd9a1c5e930b07cca2b69858591ba3dd7c1be2a97bd4ecd8783d53b643834145caf23f4fcfda36994ffc9f5920c288d39901a323c9ae1

    • SSDEEP

      12288:m5+PQKFgirpg8kFXyvi8FV4D7oyzX1dMn7IDuEZONyLDQRS7a9:mKFxdn3K83k7oqMnEDV

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks