General

  • Target

    608a6d08b4a99e405b845e5cf70f4fe1.bin

  • Size

    928KB

  • Sample

    230505-w31tladc35

  • MD5

    e7f07da47d4346ba08653f1f5148b15c

  • SHA1

    e9c2e0b44594c2ada0526f627feb08bc0ae3ebce

  • SHA256

    76053847e7861cb559a1f0f1cef802382eadd73cdb2009838959912c7ed7d2be

  • SHA512

    ad9fc0a26af6db0c5790d3be3f8232793e0f06b413e55e15d9fb6edd0665eeda3d5fd81e32d792a33753255141e4fc751218264c9f4aa2ba94446e90df01a77d

  • SSDEEP

    24576:sa1BiiMIu339pB734a0gr13M5409Icee3SIdpVL:hniJI63nB7VrZM5F9IcFXd/

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      MV GOLDEN SCHULTE PARTS.exe

    • Size

      542KB

    • MD5

      764acf7bd23649efdb25086f62d69ce5

    • SHA1

      b4560eef798766d6737b33708ffc720c773e5a7d

    • SHA256

      23032bc9472a424d68f6423a31bf3e9cf0fa5ded87ab630d1a8234091758f4de

    • SHA512

      292b149ef1d2f0e8821d551b83c871e73b990ef2f2334b4489329b175a49f67c6bce6536f228072c408fa65d1771ccff35fc6c576235816d1b7f880c6059ada3

    • SSDEEP

      6144:t445seHtUlG/GdH7Vya9DPyI9Ww7B8rNYd3P8l4JpBB4EDNX67iMUHtDq40zaHeE:kAsOEVyaNv9W/I3P8lupBB7W8440rJd

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks