General

  • Target

    A.exe

  • Size

    670KB

  • Sample

    230505-xdjdpaee39

  • MD5

    d56b5825767c11b91408069481007a40

  • SHA1

    f448108c0e83fe0ea6f7ece79c98f1d5527d673c

  • SHA256

    a158e9d32de440383597798db8deae678b54f6d0378a9788ff1a87a1e239f2f4

  • SHA512

    2b655a89e7302194cba57c1aeb41312fd211407f9a5233d14fd81aa571f27deb3a440d33204d0f4c4eaac322e95859471cf5f22fef2ac8a5339ed3cbdeaf616f

  • SSDEEP

    12288:uZo/arWBv6pOw5XxzwvJLyQ+o5v6nnjqKoe:LarWN6pOgBzwhL8op6nnjqKoe

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5723707890:AAH2xRvI7tQmHUTxHRRudv8WoyAoxdIIcOI/sendMessage?chat_id=1760125104

Targets

    • Target

      A.exe

    • Size

      670KB

    • MD5

      d56b5825767c11b91408069481007a40

    • SHA1

      f448108c0e83fe0ea6f7ece79c98f1d5527d673c

    • SHA256

      a158e9d32de440383597798db8deae678b54f6d0378a9788ff1a87a1e239f2f4

    • SHA512

      2b655a89e7302194cba57c1aeb41312fd211407f9a5233d14fd81aa571f27deb3a440d33204d0f4c4eaac322e95859471cf5f22fef2ac8a5339ed3cbdeaf616f

    • SSDEEP

      12288:uZo/arWBv6pOw5XxzwvJLyQ+o5v6nnjqKoe:LarWN6pOgBzwhL8op6nnjqKoe

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks