Overview

overview

10

Static

static

2031353 In...om.exe

windows7-x64

10

2031353 In...om.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    2031353 Invoice.com.exe

  • Size

    10KB

  • Sample

    221101-h535vahcb9

  • MD5

    ce826e3bff3ccdf70441b26e79f0f8cd

  • SHA1

    859d677c43955b64783a98c01aedf382266f2f2f

  • SHA256

    6caa80b367d2b49fa58d80f0fdce97b52c2283464331e3bd720cf89bba621fbf

  • SHA512

    f9c5e5a7aa02b551ad5dbc2706c2e1c0748ed7f9534062e376e959e8759295b35d30cbef0ae47eedd8c133fe7fe52897137df3b3e5776ed234159d7e8a7102f9

  • SSDEEP

    192:SDWHDAHOBzWswLqPbgJPVZyswyf8stYcFmVc03KY:SDW8HOdiLqjgJ9ZysnfptYcFmVc03K

Score
10/10
snakekeyloggercollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5710787447:AAFzffo9Ok4ZQSoKM86n5fAS8hZ6CI9sZyY/sendMessage?chat_id=1672348101

Targets

    • Target

      2031353 Invoice.com.exe

    • Size

      10KB

    • MD5

      ce826e3bff3ccdf70441b26e79f0f8cd

    • SHA1

      859d677c43955b64783a98c01aedf382266f2f2f

    • SHA256

      6caa80b367d2b49fa58d80f0fdce97b52c2283464331e3bd720cf89bba621fbf

    • SHA512

      f9c5e5a7aa02b551ad5dbc2706c2e1c0748ed7f9534062e376e959e8759295b35d30cbef0ae47eedd8c133fe7fe52897137df3b3e5776ed234159d7e8a7102f9

    • SSDEEP

      192:SDWHDAHOBzWswLqPbgJPVZyswyf8stYcFmVc03KY:SDW8HOdiLqjgJ9ZysnfptYcFmVc03K

    Score
    10/10
    snakekeyloggercollectionkeyloggerpersistencespywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks