General

  • Target

    c4bc99be2d00ad7e96c9f192f31da7d25c5971b3463b7f28f5a42659a4829ef7

  • Size

    927KB

  • Sample

    221031-cyvl8saghm

  • MD5

    14d671c4129975e8f9fd494f1dedd4b5

  • SHA1

    ba0ea614384146029b74ea300680d529dc251bea

  • SHA256

    c4bc99be2d00ad7e96c9f192f31da7d25c5971b3463b7f28f5a42659a4829ef7

  • SHA512

    64b7b17b1efe0a29f736f03d643024e2bfc2761a393d1020a062980d95191f22aeb1640e3a76083264de87963a073b928f6d2f13ffb4b2803ab85197bbbca26f

  • SSDEEP

    24576:AOvdxkV5uJlQrndlgPEAggaor7VaSs7Z:AE+V5uL0ndK8Ag7Ss

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5793325124:AAGHzRsq2tvLBf23l8pkEofcJjw4AQXsgAQ/sendMessage?chat_id=2086616067

Targets

    • Target

      c4bc99be2d00ad7e96c9f192f31da7d25c5971b3463b7f28f5a42659a4829ef7

    • Size

      927KB

    • MD5

      14d671c4129975e8f9fd494f1dedd4b5

    • SHA1

      ba0ea614384146029b74ea300680d529dc251bea

    • SHA256

      c4bc99be2d00ad7e96c9f192f31da7d25c5971b3463b7f28f5a42659a4829ef7

    • SHA512

      64b7b17b1efe0a29f736f03d643024e2bfc2761a393d1020a062980d95191f22aeb1640e3a76083264de87963a073b928f6d2f13ffb4b2803ab85197bbbca26f

    • SSDEEP

      24576:AOvdxkV5uJlQrndlgPEAggaor7VaSs7Z:AE+V5uL0ndK8Ag7Ss

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks