General

  • Target

    a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd

  • Size

    542KB

  • Sample

    230505-xfla3aeg78

  • MD5

    0d4950c69afb9b3c9b2d52b7b5ae9d41

  • SHA1

    83d808fb0f8b8e35fc9ffa92fa0ff6e90bb55da0

  • SHA256

    a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd

  • SHA512

    e4c81c5c28229566513ed59baade14f9ed2c197d7c38345a68a36eede6e5f7c538e081e2969089e37d25510e919f1f8f35d4c8bcea548094306e48923b216769

  • SSDEEP

    12288:7LalT62iZFFmfaG/I2U7ttsqbEvxA9RDM6uARdWzMM:qY2uFmfaG/I2ULBb2A/DM6dEYM

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5905114115:AAEtJ13Y8sU1fQgR9KsdZZhYCIQmu7J2ahU/sendMessage?chat_id=5334267822

Targets

    • Target

      a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd

    • Size

      542KB

    • MD5

      0d4950c69afb9b3c9b2d52b7b5ae9d41

    • SHA1

      83d808fb0f8b8e35fc9ffa92fa0ff6e90bb55da0

    • SHA256

      a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd

    • SHA512

      e4c81c5c28229566513ed59baade14f9ed2c197d7c38345a68a36eede6e5f7c538e081e2969089e37d25510e919f1f8f35d4c8bcea548094306e48923b216769

    • SSDEEP

      12288:7LalT62iZFFmfaG/I2U7ttsqbEvxA9RDM6uARdWzMM:qY2uFmfaG/I2ULBb2A/DM6dEYM

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks