General

  • Target

    Voyage Order Details.exe

  • Size

    647KB

  • Sample

    230507-h65easfc4w

  • MD5

    23a1f61ba07f8af3e0b379e15ee42d61

  • SHA1

    cc6fa54ce4a0b0338aa2b575c217c6923f4474b2

  • SHA256

    1a6f98c2107fd310ce83b4e6fe93635f9f82a8a2cd5ed746aa630b6580d83ed6

  • SHA512

    185381fabfd445cb841843aa3a3f5d90f885b7ceab14df747912ef93411608fc016ff35e8ec1372584154a0fd8bfad3a43a6f033b6218db27fc189aec2f63f34

  • SSDEEP

    12288:XV2iN1Bzn85RByi+Ztq+Gre/InTJGYdRtMlDE+UkBxTEFA9KLp:l1p85yi+ZtgreQTAORsOA63Lp

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Voyage Order Details.exe

    • Size

      647KB

    • MD5

      23a1f61ba07f8af3e0b379e15ee42d61

    • SHA1

      cc6fa54ce4a0b0338aa2b575c217c6923f4474b2

    • SHA256

      1a6f98c2107fd310ce83b4e6fe93635f9f82a8a2cd5ed746aa630b6580d83ed6

    • SHA512

      185381fabfd445cb841843aa3a3f5d90f885b7ceab14df747912ef93411608fc016ff35e8ec1372584154a0fd8bfad3a43a6f033b6218db27fc189aec2f63f34

    • SSDEEP

      12288:XV2iN1Bzn85RByi+Ztq+Gre/InTJGYdRtMlDE+UkBxTEFA9KLp:l1p85yi+ZtgreQTAORsOA63Lp

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks