General

  • Target

    MIGNAJbHqqz0hqw.exe

  • Size

    710KB

  • Sample

    230507-h64srsfc31

  • MD5

    623f0ebaec76d49523c21c0479ea7d69

  • SHA1

    6b961a655f34d11f2bdcf2e5ab2b7f7d5598a9dd

  • SHA256

    5fa4736f2cc0d0643d02cb400a7be79acf2a4c7085d34b7837ecdd3a1c34b058

  • SHA512

    4f1ba30ce362c185a14cd69abc8095d72e8bce8f436ad1ec7eddcc773f2769896ccc8d1d4c0900e434fefe801eebb19b5d08cff5e21ba973db0f0422ad2fd799

  • SSDEEP

    12288:TNRYC4v3JDM8WoxoYRSVY5NN8xTDOsfldsYQwmLvIdzfiOPa:JRYhv3e8WozoV7Vq4mcdzfTP

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537

Targets

    • Target

      MIGNAJbHqqz0hqw.exe

    • Size

      710KB

    • MD5

      623f0ebaec76d49523c21c0479ea7d69

    • SHA1

      6b961a655f34d11f2bdcf2e5ab2b7f7d5598a9dd

    • SHA256

      5fa4736f2cc0d0643d02cb400a7be79acf2a4c7085d34b7837ecdd3a1c34b058

    • SHA512

      4f1ba30ce362c185a14cd69abc8095d72e8bce8f436ad1ec7eddcc773f2769896ccc8d1d4c0900e434fefe801eebb19b5d08cff5e21ba973db0f0422ad2fd799

    • SSDEEP

      12288:TNRYC4v3JDM8WoxoYRSVY5NN8xTDOsfldsYQwmLvIdzfiOPa:JRYhv3e8WozoV7Vq4mcdzfTP

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks