General
-
Target
PO_RFQ285600.exe
-
Size
1.1MB
-
Sample
221003-qnc64ahbcq
-
MD5
4333cf375f08a3fd4d85375ba7b69be9
-
SHA1
9f020fe29b95b10904b736cf7485b6176641c84a
-
SHA256
dc0440d22e5e04a348da6604a84406ae83ba0100514523bc01914c0d58a12a80
-
SHA512
f531b0e33b52c3be9492eacf1988838f6329c2bcc91e36719a9f5e696662123b54f6ddb7542e05ab47a8f28ba919ca543e87c790767c9b502f0df12b6b45acb0
-
SSDEEP
12288:iK4HTNisc7A8ojYxS8k2QyNywrhdNkUxBlyy9hImIJDTOxTrdIX:9A8oUx5Ny8dyqxnI5Ire
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU/sendMessage?chat_id=5350445922
Targets
-
-
Target
PO_RFQ285600.exe
-
Size
1.1MB
-
MD5
4333cf375f08a3fd4d85375ba7b69be9
-
SHA1
9f020fe29b95b10904b736cf7485b6176641c84a
-
SHA256
dc0440d22e5e04a348da6604a84406ae83ba0100514523bc01914c0d58a12a80
-
SHA512
f531b0e33b52c3be9492eacf1988838f6329c2bcc91e36719a9f5e696662123b54f6ddb7542e05ab47a8f28ba919ca543e87c790767c9b502f0df12b6b45acb0
-
SSDEEP
12288:iK4HTNisc7A8ojYxS8k2QyNywrhdNkUxBlyy9hImIJDTOxTrdIX:9A8oUx5Ny8dyqxnI5Ire
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-