General
-
Target
37f5a513604502dacf676bfb9.bin
-
Size
452KB
-
Sample
230628-rndnasag5y
-
MD5
1647f3841b0c75dbc8fc61b6623a8b5f
-
SHA1
a3d2a189a506317dda47ebdb1de95774f3f9f65a
-
SHA256
037304ea1f29708a9aa2c0bbd7a71857c6865b76cbd8e2d80be5a1b7a8d55b0f
-
SHA512
2f87c5c6718e728bf6838b2662825a4d4e680cba9d67166f4676f7b633850140a01754e5340d4f45a2bf26cedf647ed566aed8a119fd9c3d54658dd94cd85b51
-
SSDEEP
12288:MchkavKXCiGO4dQIBi2DWSNUG7nclGhs8BG:MmGczQIBi2WSNH7nQj8BG
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.wilcon.com.ph - Port:
587 - Username:
[email protected] - Password:
password@cashier - Email To:
[email protected]
https://api.telegram.org/bot5839027687:AAGrC4UWgd0JQxMHOf1dCehA-oSrYF_Bez8/sendMessage?chat_id=1094077450
Targets
-
-
Target
0ee11589280de3ddb6f2a74d5245f32bdf5b93af0e86aaae3e282744bc445397.exe
-
Size
549KB
-
MD5
37f5a513604502dacf676bfb991366ba
-
SHA1
74fe943ec53c0b5810b866a6b0044e5f0720063c
-
SHA256
0ee11589280de3ddb6f2a74d5245f32bdf5b93af0e86aaae3e282744bc445397
-
SHA512
bbc8b1ad92b9439de093146aacdc2a6823d3572b3645e1f20b86a4aabe55319e26b84fe0d5ce651ae15aab5c522d523946e52689a1db2853491d38f52db0dc24
-
SSDEEP
12288:vau7MrQ/5D7d4E90udiRqrE7dohhhFtzePH6I1f3mH:vas/9GGoF7dohhhFFePHh3mH
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-