General
-
Target
PO RBPEN2305-001.xlsx.exe
-
Size
592KB
-
Sample
230514-jttmpsbb79
-
MD5
fd67230071bb2c1c1526139ccfc27ef2
-
SHA1
b26a0e633f976da66affb35ad59e9c5730e1987b
-
SHA256
8760dd4d037c34998c16fea312946f0d6d05c2d3b25c1acd6dec12d00e376acc
-
SHA512
3afdf50dbc3492c49521906d623f0749a65eddab7fd8c8cc9950154e2c00030f3533ec799b1f573bd1b67de0cce4e16236a94061b95e1471c5a94010afc7bbab
-
SSDEEP
12288:smjvv1Gm9nDGtz9dnlwlzozmc2rBsPsArsdJ:xvn2z9dapozmJNz4QJ
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/sendMessage?chat_id=6200392710
Targets
-
-
Target
PO RBPEN2305-001.xlsx.exe
-
Size
592KB
-
MD5
fd67230071bb2c1c1526139ccfc27ef2
-
SHA1
b26a0e633f976da66affb35ad59e9c5730e1987b
-
SHA256
8760dd4d037c34998c16fea312946f0d6d05c2d3b25c1acd6dec12d00e376acc
-
SHA512
3afdf50dbc3492c49521906d623f0749a65eddab7fd8c8cc9950154e2c00030f3533ec799b1f573bd1b67de0cce4e16236a94061b95e1471c5a94010afc7bbab
-
SSDEEP
12288:smjvv1Gm9nDGtz9dnlwlzozmc2rBsPsArsdJ:xvn2z9dapozmJNz4QJ
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-