General

  • Target

    9f9d2eeb4c55962e4771fed02a66ac89.bin

  • Size

    536KB

  • Sample

    230505-xc9jgsgf2v

  • MD5

    3ebbe3625a19b125e43c2efaab443850

  • SHA1

    0a4bbcee9d27b4b88b739fb0e80d512b760577c0

  • SHA256

    a337de7e098cfc5381ba82d16df4a8b6e0a8cb3c15b823365466b13cfe7576b5

  • SHA512

    c6150b581de654456c8b7bea4f8f9fecf145436879db064db098e3a7b7eef93190231297bd371e67f2406d4f6bfcf58cecf75a33d9c91f9e57a311c7f9d42272

  • SSDEEP

    12288:gvVRLJttLN31a50MX0BUnRZO/rcKaBVZac4xHGb+wluOMKiAzlGyf:gvV/tt91Y0Q/itMnac4xHGsOMKLzlG2

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      91af5b7dfb0cba2f5a7b77d317adb7fac20692d9f759127ecbd780e23fc4673d.exe

    • Size

      780KB

    • MD5

      9f9d2eeb4c55962e4771fed02a66ac89

    • SHA1

      1fc000f01ad7c8c55883aaeaceab5bbc5ef3fd77

    • SHA256

      91af5b7dfb0cba2f5a7b77d317adb7fac20692d9f759127ecbd780e23fc4673d

    • SHA512

      6624323775640a844729872e047dff32a7bb6cba6ba2cc801978ab327e1d4c6f0dc4228eb2ca8b8e71df56ce3732621d04cf9c69746f947ec9dbe9304898278c

    • SSDEEP

      12288:DC9PC6YN1Pg+70pKXQlIj5g15BL980v/J11paGdyAwFqJATUR5AzFu9:b5g1z98qZpaGIAAqApu9

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks