Overview

overview

10

Static

static

TRANSFER SLIP.exe

windows7-x64

10

TRANSFER SLIP.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TRANSFER SLIP.zip

  • Size

    577KB

  • Sample

    221002-qy359saffm

  • MD5

    ba6bc4087f57975b2886bab4fcad816c

  • SHA1

    563df6c5fbbb4c10e7e738659bffc9bfe802144d

  • SHA256

    38543c4955269b467bcbf29ce2cffae11ba6640ef517010b0ed59d6777493f42

  • SHA512

    ddff7d0f43bd1f9764525e6a2ee30ba1c6fbe02b771de83790de433df0775af4682709ea8edb871b77f388b8f1393f64d35be567b76905ab2f80810ee104e16e

  • SSDEEP

    12288:YReNpZPg2iP3XZqzrqn2ZjS9NJoW0BEJMAFjn+F3GRwSp6:YRexI1PX8zeuRmJMQ+F3gE

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430

Targets

    • Target

      TRANSFER SLIP.exe

    • Size

      1.0MB

    • MD5

      7a6b0980328902701e46b0e67288b565

    • SHA1

      18eece768efd6b51990336bd7d580902db79f951

    • SHA256

      8c456876915598dc988732791d60ea7129c1f03f9eabd10951ce2996c9c0997f

    • SHA512

      e167579fbe129b819fc79581a34fc58c0fefb773ca7bc0e98b7024435cc0c8f0df7fbe86be21ecf338eedb7aeb442c8ec0a7b67a44330c1c219683f560bd168e

    • SSDEEP

      12288:NikVrArSr9kMp1txX2iNoADqjJ5nmZhS/NFMWINKJmAtnn+F3ORwspu:xrArSrBv1Qjr+NoJm4+F3+A

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks