General

  • Target

    81bf7194541beae3d3878600b63e5753.bin

  • Size

    406KB

  • Sample

    230505-w7x89sdg68

  • MD5

    b39be69b4a0d8d99367e6f41bae35121

  • SHA1

    3e0a61c3bf29d07ebb5ec2d653796f205f049c02

  • SHA256

    f569fb20b7b098896bb88a8ad460ad1b847ed9b9a43cc7e577eca2d5de80ab20

  • SHA512

    e0bbd6688527dd02f0ab32c2b62afbc9f86bfc425ae408504a510cfeda70e13f4dc52e054990ff57316edda068e0b1524e668594e3886a8f02f4671a65ca23b0

  • SSDEEP

    12288:M3INNuj+l+J+Li9P7mrxMK2oJG74A9WrgbP:MEuWf+MrKKxG744vT

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5435719278:AAFkA_rGsUomupSCBqIPHcOBw0iPF0KuOG0/sendMessage?chat_id=5666881718

Targets

    • Target

      201a70eaa336c001f0573d3a2915e2c372df418bbf27c8729b30e4b08da2e8c9.exe

    • Size

      584KB

    • MD5

      81bf7194541beae3d3878600b63e5753

    • SHA1

      67ce7c1ace75ee46b8ce83feedaef37c1f0a59a2

    • SHA256

      201a70eaa336c001f0573d3a2915e2c372df418bbf27c8729b30e4b08da2e8c9

    • SHA512

      09b0a2ec5ce3ffac0705cf27973da0a26ed45eaef2893dc25fdc43b102219f0bbc768d50ac8ca5fdfac32af1cf5777bf74e6bd72a4543baa1bd2fd607473f4ee

    • SSDEEP

      6144:LMZIXrvWfZJpKtHrnI9Dw17I+Ic5T1LxHE8CZV8m+oNRJOO2jRq2E71lOWMqp7t/:e+nIm7I+TRVCEm+oX52RIxlH7tUFu

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks