General

  • Target

    Invoice and Packing List.doc

  • Size

    11KB

  • Sample

    221004-admpsadbhr

  • MD5

    06e10f3fce4796770b76d377bd7771f6

  • SHA1

    1a1a8ebd2069d5eb6398d3aaca4664355d97ffb9

  • SHA256

    42487bd90d60cc3c61a5af0a126f8e2e4a855e680099d1a6fda96eb658645026

  • SHA512

    96dc85090e60d99e27362451768e12f6c661b30c7c8e4729159ffde3baee2523d662eacf76b2273b3a4ef8e5fd1df9317fcbd6e27c3df21b8abc379da883ad13

  • SSDEEP

    192:PUOHmYnerLSeHJx7EswiUcvaqVlHz3WbMr6TcxyUNDViT6QkfF:8OHmaenSeHJxgsdvaUHzmbM0cxyUN0du

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Targets

    • Target

      Invoice and Packing List.doc

    • Size

      11KB

    • MD5

      06e10f3fce4796770b76d377bd7771f6

    • SHA1

      1a1a8ebd2069d5eb6398d3aaca4664355d97ffb9

    • SHA256

      42487bd90d60cc3c61a5af0a126f8e2e4a855e680099d1a6fda96eb658645026

    • SHA512

      96dc85090e60d99e27362451768e12f6c661b30c7c8e4729159ffde3baee2523d662eacf76b2273b3a4ef8e5fd1df9317fcbd6e27c3df21b8abc379da883ad13

    • SSDEEP

      192:PUOHmYnerLSeHJx7EswiUcvaqVlHz3WbMr6TcxyUNDViT6QkfF:8OHmaenSeHJxgsdvaUHzmbM0cxyUN0du

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks