General

  • Target

    Haopelehp.exe

  • Size

    727KB

  • Sample

    230718-p1ep1sba8z

  • MD5

    7ec449704168846bcc6fdb466409ba31

  • SHA1

    8d976bdbe34abe5bc2f2e681402226abdeddc5f0

  • SHA256

    cacc7162b9c5dacdd807215b37e7a0325c8d98de656b5845dc69d4cc467b0ab7

  • SHA512

    596d786b70eec0232d9080321d9b7593ad9b7a1b3d464d74172aec84b51da18309f79663ebbbe7b144d679aec39c2a8b10ccd6c4c9af35bde055291098d13a30

  • SSDEEP

    12288:RDQzYLnMjO9VcKeuwVdn+Hx72AZUB8sQok7Qre1ttJ1wf:RDiAMjScKeuqnA72AZUKz/HA

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6223040934:AAFZR7-nJPBtNtKiKjjFvb-144WYhjW9KHY/sendMessage?chat_id=6373691592

Targets

    • Target

      Haopelehp.exe

    • Size

      727KB

    • MD5

      7ec449704168846bcc6fdb466409ba31

    • SHA1

      8d976bdbe34abe5bc2f2e681402226abdeddc5f0

    • SHA256

      cacc7162b9c5dacdd807215b37e7a0325c8d98de656b5845dc69d4cc467b0ab7

    • SHA512

      596d786b70eec0232d9080321d9b7593ad9b7a1b3d464d74172aec84b51da18309f79663ebbbe7b144d679aec39c2a8b10ccd6c4c9af35bde055291098d13a30

    • SSDEEP

      12288:RDQzYLnMjO9VcKeuwVdn+Hx72AZUB8sQok7Qre1ttJ1wf:RDiAMjScKeuqnA72AZUKz/HA

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks