General

  • Target

    fcb23667b36b5125d4d0b9a63d7fb6574924e979d377ed02912dbf0780f6dd6f

  • Size

    1.2MB

  • Sample

    221003-bhrd7sbfal

  • MD5

    5594b8c9e87193bba39894ac1fe26e25

  • SHA1

    3c53fa09eb2c698ec938c6c78660716d481b1a34

  • SHA256

    fcb23667b36b5125d4d0b9a63d7fb6574924e979d377ed02912dbf0780f6dd6f

  • SHA512

    a9e2b098751fcd83bea4554b48c4abcf5ccea1b8c85a2d862bad22214d49d934a43ebde89ef7419f8e8e43e4b9b3ace9e0e5d576520f2613682116f2af828106

  • SSDEEP

    24576:hdUgKgRv/jx9EUXnNKJpfew8DQdaE3Ulf6kiTO:ggKgNV9EUXnQpfXjdGfv

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    arinzelog@steuler-kch.org
  • Password:
    7213575aceACE@#$
  • Email To:
    arinze@steuler-kch.org
C2

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Targets

    • Target

      fcb23667b36b5125d4d0b9a63d7fb6574924e979d377ed02912dbf0780f6dd6f

    • Size

      1.2MB

    • MD5

      5594b8c9e87193bba39894ac1fe26e25

    • SHA1

      3c53fa09eb2c698ec938c6c78660716d481b1a34

    • SHA256

      fcb23667b36b5125d4d0b9a63d7fb6574924e979d377ed02912dbf0780f6dd6f

    • SHA512

      a9e2b098751fcd83bea4554b48c4abcf5ccea1b8c85a2d862bad22214d49d934a43ebde89ef7419f8e8e43e4b9b3ace9e0e5d576520f2613682116f2af828106

    • SSDEEP

      24576:hdUgKgRv/jx9EUXnNKJpfew8DQdaE3Ulf6kiTO:ggKgNV9EUXnQpfXjdGfv

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks