General

  • Target

    VSL Q88.rar

  • Size

    18KB

  • Sample

    230125-mq61eafg54

  • MD5

    4b717baf6a9b0c219b44bc5eabc821e2

  • SHA1

    b50f7f4085eda26f6da2398b55ae406ef84f5916

  • SHA256

    3c3a0a24c9dc7ee7cb4a86ef7e113b9835d4dc2c69b915e9d16f68f99799e4c9

  • SHA512

    df0818f521efbe13ea6b177771fedef1a4420e5b4e159eb8ba54cbcec59970d607e11cbaf542c80288e80f4e1d12249b8cc323b846a73b725dfc186ea78158ae

  • SSDEEP

    384:dv2G2yiu/qWbbFYzibCcj7uQSpGy9hUGyt7MVUFFrr/hNpzrrub:deGA/QCOec2/pGy9hUXBZF/jzrrub

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1897716112:AAEAtOCkOV8umHBB93Og24bkiIdUKReGK44/sendMessage?chat_id=1745211648

Targets

    • Target

      VSL Q88.exe

    • Size

      17KB

    • MD5

      abb62deff1e4851be179ab55fb65e4a7

    • SHA1

      36d60ff07bcfdbe6c83c69079c954cc655bd9557

    • SHA256

      35a1eb3544b13e48380568cef531dec8473aa229fa4fccc532898b2c514f05ab

    • SHA512

      2e80e80a3c8b3aa4a2a49a8bdc618f464f399e98da68dac4a558282dc237cdd7e4a899969695661af3d462d0c46e211bbd9ae1ee8a55658f724d852cd98b1e6b

    • SSDEEP

      384:eBHyHMiAiIufjm2g6WeLLB3mDTQ8T3Jd:YHyHMi0ufj3H5F3mDF3T

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      VSL Q88.scr

    • Size

      17KB

    • MD5

      525c930b348f58ecdaf03b08c1a91495

    • SHA1

      5f08e2d33fc791929e29ad5b93a319453c3583a9

    • SHA256

      bb393daf400b3417fdd00e65698a3fdb977cd41cc1df894b630b271ddb4769df

    • SHA512

      44f17df7f6f7bbb505a40d389496f7acca83c8e78b4180fd7e90cad1ea42731ceed36d634780cdec6758b9c8c72a23df726b668ef5e6087bc778eb28e6b0dc0e

    • SSDEEP

      384:gdO0vPqnnphy83JqGq3HLBhoksn1VRi2J2kcQ5Yi:gdnPqnnph53J3q3rBJsnMkcS

    Score
    3/10

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation

                Tasks