General
-
Target
UPDATED SOA.zip
-
Size
556KB
-
Sample
221002-lw7cpabegl
-
MD5
3dfb0141fce1eaed22ff70e8b830f693
-
SHA1
7b218310f3e501822de21ec243fb32c8f91d59be
-
SHA256
ac9ca9b2d052e51d3a76119b8a640064eeff1693609e54bb316e2749a319f8e2
-
SHA512
94ea66e32631ec40b3741876a2c93e2565d107ebc5048d316f8ff7969cb0ee3538a04a01e4477283e392372e8bd4aef5ca1bc5c079d69d31f0ab7345661b953d
-
SSDEEP
12288:hU2iMUA6r/o6uPvp12XLDNBqGNj5uwY7wQ5HNX9QV8AAtmu97Pa+BM:hU1US/o6svmT15ZY7wKHNX9Qyrt/RP9e
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430
Targets
-
-
Target
UPDATED SOA.exe
-
Size
1001KB
-
MD5
306860afb2d8aaa535fcbf83fde3d36c
-
SHA1
e06af2b9c1cdd72a3fd53f15c7809a83c4076f0c
-
SHA256
c1414c69b3a5c0b020383097fe696a2b6f837657812488db31bed9d1848ee057
-
SHA512
9f2e1e49b95c4fa5c8bf381ebc34ff6d487d21ae8c7cc3f7bc8ad19e02b7ac6516975a42def01b476807a91d24169ae512a10ac6f05f72c9f03c687d201ef8d6
-
SSDEEP
12288:CAeY2iNw0+9MKXACOu1vn1AXvDx5qGN35c2s7thlqjJ5nauNmyF3qNm5rXOHyHis:CAJ1Ie6OEvm3J5bs7thwjr
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-