General

  • Target

    Purchase Order No.89006993.pdf.exe

  • Size

    525KB

  • Sample

    230508-p47vzacd9z

  • MD5

    642c03d1224483f2ba16da4a691100f7

  • SHA1

    9b13434cb7918cd7189b79b1db5c06e83d1b6336

  • SHA256

    b050f56ceec41d0c409065b66cf598cbaf75a565afab1b47552624e085a3a9c4

  • SHA512

    ff4f0e171e39baad90a30f1ee83da18bed1e960960eca691bbd1243cb0c7839478d5216a469d3c7780b31220b4d657a5992fa02dd372a6e85dc7e9a5fbd6b1ac

  • SSDEEP

    6144:7WhOS6fwOVienfQoWBzXvJLnpPiQYOi0VyJnHVf1b2ce9KjgkjePrkWCG7bSmah3:BLfWF/BB+1f1ukj6AIa+nudUjc

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6211421153:AAHeRHp_sRbnZsNC_iCcj1JzI0_X_zXJLFA/sendMessage?chat_id=2126102657

Targets

    • Target

      Purchase Order No.89006993.pdf.exe

    • Size

      525KB

    • MD5

      642c03d1224483f2ba16da4a691100f7

    • SHA1

      9b13434cb7918cd7189b79b1db5c06e83d1b6336

    • SHA256

      b050f56ceec41d0c409065b66cf598cbaf75a565afab1b47552624e085a3a9c4

    • SHA512

      ff4f0e171e39baad90a30f1ee83da18bed1e960960eca691bbd1243cb0c7839478d5216a469d3c7780b31220b4d657a5992fa02dd372a6e85dc7e9a5fbd6b1ac

    • SSDEEP

      6144:7WhOS6fwOVienfQoWBzXvJLnpPiQYOi0VyJnHVf1b2ce9KjgkjePrkWCG7bSmah3:BLfWF/BB+1f1ukj6AIa+nudUjc

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks