General

  • Target

    Hzgbdtv.exe

  • Size

    7KB

  • Sample

    230127-rcnzwsch8t

  • MD5

    13f56221e7b4ef51feaa422a92804aaf

  • SHA1

    c0dc841f1683b4588106ab80e46e7767cebcc354

  • SHA256

    e691ec947eca2d0cceec93a841a639238c1a69f96860fcbcd864c59a36dfac58

  • SHA512

    1c3d3a571f8eb4225bdd16b729663f3cca8b373f09e607b032641c1adedd0af3b34f0b3b9cb90a54c89afd761ec6d0d8ee88d6b8dcc05117b84341702dbe0fca

  • SSDEEP

    96:OfGUTjV1Cs/61o2AlTYHSJ+A2BqtmWQHtEkOCJjVEIBRxzNt:OfT/V1Zxl32IcWQHzOCjJ/T

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5824924248:AAF4WKjJ8FxpNsC2HwCM114EP_g8rFkC4wQ/sendMessage?chat_id=2054148913

Targets

    • Target

      Hzgbdtv.exe

    • Size

      7KB

    • MD5

      13f56221e7b4ef51feaa422a92804aaf

    • SHA1

      c0dc841f1683b4588106ab80e46e7767cebcc354

    • SHA256

      e691ec947eca2d0cceec93a841a639238c1a69f96860fcbcd864c59a36dfac58

    • SHA512

      1c3d3a571f8eb4225bdd16b729663f3cca8b373f09e607b032641c1adedd0af3b34f0b3b9cb90a54c89afd761ec6d0d8ee88d6b8dcc05117b84341702dbe0fca

    • SSDEEP

      96:OfGUTjV1Cs/61o2AlTYHSJ+A2BqtmWQHtEkOCJjVEIBRxzNt:OfT/V1Zxl32IcWQHzOCjJ/T

    • Detect PureCrypter injector

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks