General

  • Target

    DHL EXPRESS AWB DOC.exe

  • Size

    708KB

  • Sample

    230505-r9ahrsbb52

  • MD5

    4a2fb0d3859d4fb7cb6c97e0a6817584

  • SHA1

    fbd0fa257ac8729fa149eb323853de20469dbbeb

  • SHA256

    8e2b4ef3690596ac262df39667fbc2c9cdd5870a1215fd43e1075261a5dfc529

  • SHA512

    fafca38175457b61dbbd72a02ab6d75172a94b2e5800f2eded4b8f623b5a4676ec796f7ed3dd1636e3b751df1f65424b4ec3e5f13e6e1fde51e35dff88f455ad

  • SSDEEP

    12288:3DMq4fyMw8CJuuJ99fRKKGNDvgeFLtZexgQKxFUTWIEMW:CS9WKGkehQquT

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5799835476:AAFiZfeIZu-7ZRuBqclPng8ud3yXZLUXpw8/sendMessage?chat_id=5666881718

Targets

    • Target

      DHL EXPRESS AWB DOC.exe

    • Size

      708KB

    • MD5

      4a2fb0d3859d4fb7cb6c97e0a6817584

    • SHA1

      fbd0fa257ac8729fa149eb323853de20469dbbeb

    • SHA256

      8e2b4ef3690596ac262df39667fbc2c9cdd5870a1215fd43e1075261a5dfc529

    • SHA512

      fafca38175457b61dbbd72a02ab6d75172a94b2e5800f2eded4b8f623b5a4676ec796f7ed3dd1636e3b751df1f65424b4ec3e5f13e6e1fde51e35dff88f455ad

    • SSDEEP

      12288:3DMq4fyMw8CJuuJ99fRKKGNDvgeFLtZexgQKxFUTWIEMW:CS9WKGkehQquT

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks