General
-
Target
RFQ.exe
-
Size
807KB
-
Sample
230314-wx1xeaah9x
-
MD5
a85949cb7e0347832913f8f1594c5d6f
-
SHA1
f81bdd8581c6018bc70fc8def3c639a2ad2e7dc6
-
SHA256
a1f98c827c062c3a881bafa2d235125cbf15916093a42a2e5471d27a9071f3e8
-
SHA512
73a0e5be46ee74843ff6bf548727b353bb5836ab8707f0680774edb4904d4abaab944f36315ca226b4ace08f3ca55ad0adef4318db194ac5c50e1ff7ea059975
-
SSDEEP
12288:/JuWJsMSz4oqtmjSQkBGzhse2Twym+x7BcMUau9je8S/FbalgEkbBD5:VsMSz4oqtmjSQk81pMxFUaIXS1QgvB1
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6028065759:AAGXMc8NHPy2_lXiMVsOvq8DgefjK4ifT-U/sendMessage?chat_id=5069697890
Targets
-
-
Target
RFQ.exe
-
Size
807KB
-
MD5
a85949cb7e0347832913f8f1594c5d6f
-
SHA1
f81bdd8581c6018bc70fc8def3c639a2ad2e7dc6
-
SHA256
a1f98c827c062c3a881bafa2d235125cbf15916093a42a2e5471d27a9071f3e8
-
SHA512
73a0e5be46ee74843ff6bf548727b353bb5836ab8707f0680774edb4904d4abaab944f36315ca226b4ace08f3ca55ad0adef4318db194ac5c50e1ff7ea059975
-
SSDEEP
12288:/JuWJsMSz4oqtmjSQkBGzhse2Twym+x7BcMUau9je8S/FbalgEkbBD5:VsMSz4oqtmjSQk81pMxFUaIXS1QgvB1
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-