General

  • Target

    file.exe

  • Size

    389KB

  • Sample

    230602-rhq2facb5z

  • MD5

    62738c80596a3f7417c25093ab50411e

  • SHA1

    9b4e28e322bea1056de4916917180ed48831af9d

  • SHA256

    98f5bcf2c92492d2887e3e8b628ce4e0d07cee9400a2d6f09d036de0525fe9ad

  • SHA512

    7c8254175e10cb3fd1c7f3a7e0d20d8512cc09560aa548a0ae0d8d7716a59bce1a847605162ec930aa15f3804f499251dacce0e363a087e9b10fd12c218ce79a

  • SSDEEP

    6144:So05eU1uCIH2mhffFxCXfy34fyLS7Uf1k29nXIFusxAWp5DDKJbqo+8G2GbiS:So05NIhS246GQhvWbA+8Y

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077

Targets

    • Target

      file.exe

    • Size

      389KB

    • MD5

      62738c80596a3f7417c25093ab50411e

    • SHA1

      9b4e28e322bea1056de4916917180ed48831af9d

    • SHA256

      98f5bcf2c92492d2887e3e8b628ce4e0d07cee9400a2d6f09d036de0525fe9ad

    • SHA512

      7c8254175e10cb3fd1c7f3a7e0d20d8512cc09560aa548a0ae0d8d7716a59bce1a847605162ec930aa15f3804f499251dacce0e363a087e9b10fd12c218ce79a

    • SSDEEP

      6144:So05eU1uCIH2mhffFxCXfy34fyLS7Uf1k29nXIFusxAWp5DDKJbqo+8G2GbiS:So05NIhS246GQhvWbA+8Y

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Email Collection

1
T1114

Tasks