General

  • Target

    Invoice Packing List.exe

  • Size

    524KB

  • Sample

    230508-p4mvsscd9y

  • MD5

    ba8e82ee343944e5f003998f14307d39

  • SHA1

    0c142d521a55cd52435f4b65742acf7974f29abc

  • SHA256

    99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292

  • SHA512

    f0add3c776c864824f55396300de482195556894493bc7c515021ad3dc8f10f1eb149d15b5b7e774815a9fc9c92abdab9c4804c76fbddec84191bd581602dd20

  • SSDEEP

    12288:N1z81PvJd8CMPUkWRTlMp9GUhb+oUezpjDi5:rzWJhegRTlKQUhbFUApj

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Invoice Packing List.exe

    • Size

      524KB

    • MD5

      ba8e82ee343944e5f003998f14307d39

    • SHA1

      0c142d521a55cd52435f4b65742acf7974f29abc

    • SHA256

      99b2648789b255b806ad8ef3e1452db4ababbf42e2cb91c94cf1d34cab808292

    • SHA512

      f0add3c776c864824f55396300de482195556894493bc7c515021ad3dc8f10f1eb149d15b5b7e774815a9fc9c92abdab9c4804c76fbddec84191bd581602dd20

    • SSDEEP

      12288:N1z81PvJd8CMPUkWRTlMp9GUhb+oUezpjDi5:rzWJhegRTlKQUhbFUApj

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks