General

  • Target

    Gyjjmn.exe

  • Size

    13KB

  • Sample

    230601-fn643acf25

  • MD5

    1f78bd63a9097e0d1208cbc2bbc6ea17

  • SHA1

    e8a086e14cc775951ee4628f586fc00b03e1c14f

  • SHA256

    9cc6511bbdabccc21e3fee933fb9cc223b3e17d6865d12dae7ebaa2074f9b39f

  • SHA512

    3e9f57ead229d78d5c1b5d5e045711cf367fc3a750f3c6f8f41d405de49e0b2f0f03b9a834c76e58a25c5f9372683b86e1c1c705f3cabc15a4102e43f2cf2740

  • SSDEEP

    192:novfGLcL843eeLor7jAU8v5k+gXDVSTL5RtLe/Y2wdME:ovfGLcLNdLor7jgk+gXDw1Letu

Malware Config

Extracted

Family

purecrypter

C2

https://cdn.discordapp.com/attachments/1113589887258607668/1113593768474574978/Kptmybrzjx.dat

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5996089921:AAFFEnbgTY8Gt8G5jJy6llKhDg_Ha193t7c/sendMessage?chat_id=2054148913

Targets

    • Target

      Gyjjmn.exe

    • Size

      13KB

    • MD5

      1f78bd63a9097e0d1208cbc2bbc6ea17

    • SHA1

      e8a086e14cc775951ee4628f586fc00b03e1c14f

    • SHA256

      9cc6511bbdabccc21e3fee933fb9cc223b3e17d6865d12dae7ebaa2074f9b39f

    • SHA512

      3e9f57ead229d78d5c1b5d5e045711cf367fc3a750f3c6f8f41d405de49e0b2f0f03b9a834c76e58a25c5f9372683b86e1c1c705f3cabc15a4102e43f2cf2740

    • SSDEEP

      192:novfGLcL843eeLor7jAU8v5k+gXDVSTL5RtLe/Y2wdME:ovfGLcLNdLor7jgk+gXDw1Letu

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks