General

  • Target

    PO SJS 20221109-02.xlsx.exe

  • Size

    722KB

  • Sample

    230602-gw843aaf2x

  • MD5

    e067420d4846f5ec6295db05b2a0a981

  • SHA1

    9dc078c6e827d602d5d75c079442183693ab4e16

  • SHA256

    1f53cffa281a18eec6149e2fc33e25cb597281c536825156696a5fb6f48b59a1

  • SHA512

    ecd95a2ae69127caf7c5debbd78dc17ebf9ad8438ade17354c837ec3b90e6aa20fe10b000a6b885717ea75e4000f421e609e7699406133fdeb8966f5ce33a773

  • SSDEEP

    12288:tZNtb7l7xdvo/MdyrhFgtDsuBHsSj5J4+saBGjSFqwAofEAOY456+gIN2Iaq6OPV:tH9BqmycgiH75BI1wASEj4+p2sPURGfH

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/sendMessage?chat_id=6200392710

Targets

    • Target

      PO SJS 20221109-02.xlsx.exe

    • Size

      722KB

    • MD5

      e067420d4846f5ec6295db05b2a0a981

    • SHA1

      9dc078c6e827d602d5d75c079442183693ab4e16

    • SHA256

      1f53cffa281a18eec6149e2fc33e25cb597281c536825156696a5fb6f48b59a1

    • SHA512

      ecd95a2ae69127caf7c5debbd78dc17ebf9ad8438ade17354c837ec3b90e6aa20fe10b000a6b885717ea75e4000f421e609e7699406133fdeb8966f5ce33a773

    • SSDEEP

      12288:tZNtb7l7xdvo/MdyrhFgtDsuBHsSj5J4+saBGjSFqwAofEAOY456+gIN2Iaq6OPV:tH9BqmycgiH75BI1wASEj4+p2sPURGfH

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks