General
-
Target
Payment-086767.Pdf.z
-
Size
885KB
-
Sample
230606-prphvseb5w
-
MD5
b3abc9c804aaf1615dd47a146320f2d9
-
SHA1
82621c5da1909f56c2aa0a061f026a96149a55d1
-
SHA256
ae6503ac5cf2f1eecb86c6412def66a951542b4b4bf2a8dd330b88ed240bd4f7
-
SHA512
e530e289f06e43c7bd454ce1fabe3f779ff73f6659dd77b0242f9acfab316fd69fa907bd3bec5f67be869d2171e9fbaca74ad18d17c457f67c299f2cacd401f5
-
SSDEEP
24576:AegC+4KdE9eRxx9I5kU/qqBXikiT62YXDWdWFn:Ae6dEQXI5jbhiTm2YiE
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6288005341:AAGRgYv2o5lUGc3tnZ9QIy4L5Vg9lraTrSs/sendMessage?chat_id=6121807451
Targets
-
-
Target
Payment-086767.exe
-
Size
1.1MB
-
MD5
bfba47a7bf66791b7063200296791246
-
SHA1
758070d667146b6f070562a4ae0e6deac4378b87
-
SHA256
0e61f26144aed994bb81781ad31813ff3e3fdc19767c07784e18ac73bf2a63b8
-
SHA512
0f3332d1e8e27cfd1b382aa5bd5f9def6f0f43750d8ead9bfadd5ed0ebc9b42dbbe8e516c0dee71423bbd55a2007cb5522ed4210118adfaeb7c710eb19cf09c2
-
SSDEEP
24576:k7+m1BvLk7zsDGqdY8NlhCAcbTHV5pGaAZ:kscDJ3NqAaTHC
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-