General

  • Target

    Payment Request Review.exe

  • Size

    691KB

  • Sample

    230505-p7l3nsce71

  • MD5

    2ff4d870cb02831c65b73f1d0205ce09

  • SHA1

    4ec739c65bc70acd3cbcbddc249630e77754acc5

  • SHA256

    9a97d9127c4f8158ec393f7e0c47bd056fe6eee6c76c05600dd0c219d1de405f

  • SHA512

    3b8190b413a8969bb8377f5918f2d2e4f4d096440be54f2bd6a7b4918e9e88656716b57b4d5ac8bcef7eb5ff39ea7d9e5e21b6e8581eb44ef56132da45ff7aa6

  • SSDEEP

    12288:5c77oMdswXyP1+k9fR4fG0KmuV1By7o/7EK+jQvCiy0zhW:OkkfbuGc/78QvCi

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5435719278:AAFkA_rGsUomupSCBqIPHcOBw0iPF0KuOG0/sendMessage?chat_id=5666881718

Targets

    • Target

      Payment Request Review.exe

    • Size

      691KB

    • MD5

      2ff4d870cb02831c65b73f1d0205ce09

    • SHA1

      4ec739c65bc70acd3cbcbddc249630e77754acc5

    • SHA256

      9a97d9127c4f8158ec393f7e0c47bd056fe6eee6c76c05600dd0c219d1de405f

    • SHA512

      3b8190b413a8969bb8377f5918f2d2e4f4d096440be54f2bd6a7b4918e9e88656716b57b4d5ac8bcef7eb5ff39ea7d9e5e21b6e8581eb44ef56132da45ff7aa6

    • SSDEEP

      12288:5c77oMdswXyP1+k9fR4fG0KmuV1By7o/7EK+jQvCiy0zhW:OkkfbuGc/78QvCi

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks