General

  • Target

    DMStioshPWWQJWm.exe

  • Size

    690KB

  • Sample

    230507-ryencafa27

  • MD5

    0ace70c2bc94f4ca950dcb66753293fe

  • SHA1

    a0a04a509017336fe23b2506c31dbfcb2b5a86d4

  • SHA256

    25c432720e7e86454a3156b83a485e94fcea7ae77f791a0c0d5810e5ab72ebea

  • SHA512

    389f24f241ee4f285157a34dedcc6a40862c391d087b85f244f781e4eb4b7461eccf407011829eee7ee20c2c99d4eb3d663b09a06756de4424d419ca61af0d80

  • SSDEEP

    12288:wDGPjDjEBh9nvTmzGTU3YB73NnYdaZKj4J7ueCDIDpRqSh96J/yyM+:wS/Gh9vTmGA3YB79YdI04BuJDIDp4W65

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6273702310:AAGUtuDoY11m3LCVw0RgYYXqZb-1CRvB5Ok/sendMessage?chat_id=6143595836

Targets

    • Target

      DMStioshPWWQJWm.exe

    • Size

      690KB

    • MD5

      0ace70c2bc94f4ca950dcb66753293fe

    • SHA1

      a0a04a509017336fe23b2506c31dbfcb2b5a86d4

    • SHA256

      25c432720e7e86454a3156b83a485e94fcea7ae77f791a0c0d5810e5ab72ebea

    • SHA512

      389f24f241ee4f285157a34dedcc6a40862c391d087b85f244f781e4eb4b7461eccf407011829eee7ee20c2c99d4eb3d663b09a06756de4424d419ca61af0d80

    • SSDEEP

      12288:wDGPjDjEBh9nvTmzGTU3YB73NnYdaZKj4J7ueCDIDpRqSh96J/yyM+:wS/Gh9vTmGA3YB79YdI04BuJDIDp4W65

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks