General

  • Target

    SCREENSHOT SWIFT MARCH.docx.doc

  • Size

    10KB

  • Sample

    230322-vsjlwscb3x

  • MD5

    c0c359300612d9461aa517a963259d58

  • SHA1

    1c0150ee52c12ff1191d3283287ad42e1150b1ae

  • SHA256

    e373c9158dd1c3dee8e680362ffa9e2e755ac6664b4785c06e5b7e207678f9b3

  • SHA512

    61256d7c26444d815d41883eec301ae4dbb60673e402cfea9389c4993c0a8b23fd02b3233daf7279b690034be243ffb89a0ca7f6ecd9a49012a18b45a5fb4651

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uOrj6l+CVWBXJC0c332:SPXU/slT+LOruHkZC9m

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://OASOSIDFOSWEROEROOWRWERWEREWWW0W83W338W83WOWRWWRWRWRW9W9R9W9R9WR9W9RW9R9W9R9W9R0WR7RR7W7RW7RRW7R66WSD6DSD6S6D6DSD66D6S@1755852395/19...............................19..............DOC

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    002@frem-tr.com
  • Password:
    jCXzqcP1 daniel 3116

Targets

    • Target

      SCREENSHOT SWIFT MARCH.docx.doc

    • Size

      10KB

    • MD5

      c0c359300612d9461aa517a963259d58

    • SHA1

      1c0150ee52c12ff1191d3283287ad42e1150b1ae

    • SHA256

      e373c9158dd1c3dee8e680362ffa9e2e755ac6664b4785c06e5b7e207678f9b3

    • SHA512

      61256d7c26444d815d41883eec301ae4dbb60673e402cfea9389c4993c0a8b23fd02b3233daf7279b690034be243ffb89a0ca7f6ecd9a49012a18b45a5fb4651

    • SSDEEP

      192:ScIMmtP1aIG/bslPL++uOrj6l+CVWBXJC0c332:SPXU/slT+LOruHkZC9m

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks