General

  • Target

    PO 6543YT56.xlsx.exe

  • Size

    716KB

  • Sample

    230507-h7hxpafc71

  • MD5

    e72c3c7e9bfc1c83e80dd1b05690d397

  • SHA1

    504dfac9169b56e60e30fcda112f5336e13411f3

  • SHA256

    fd36e87f08b87a1413854b9763d7603f12be2b5b15d2d4f87537d840faff3123

  • SHA512

    78b346705b89a5fa85e648f20f142175535df47b3387df1a7606ff8cdcc9f0e9d1a17053a5c37a6fc21b69428575fb1a67d3507ba95ace6eabac71791ee0918c

  • SSDEEP

    12288:xKmKY9Iq23dyes13kJa/zQV2C32ehROILOpeJ4wKk9MVePemjeFbpW:47MjaSoJV/OVMMvLzW

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/sendMessage?chat_id=6200392710

Targets

    • Target

      PO 6543YT56.xlsx.exe

    • Size

      716KB

    • MD5

      e72c3c7e9bfc1c83e80dd1b05690d397

    • SHA1

      504dfac9169b56e60e30fcda112f5336e13411f3

    • SHA256

      fd36e87f08b87a1413854b9763d7603f12be2b5b15d2d4f87537d840faff3123

    • SHA512

      78b346705b89a5fa85e648f20f142175535df47b3387df1a7606ff8cdcc9f0e9d1a17053a5c37a6fc21b69428575fb1a67d3507ba95ace6eabac71791ee0918c

    • SSDEEP

      12288:xKmKY9Iq23dyes13kJa/zQV2C32ehROILOpeJ4wKk9MVePemjeFbpW:47MjaSoJV/OVMMvLzW

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks