General

  • Target

    hesaphareketi-01.exe

  • Size

    663KB

  • Sample

    230718-p2cbaaac85

  • MD5

    1aa0c36d4fb2ac79a6cb902da1cdf21c

  • SHA1

    e539ad8f06b90105cafd5ce497be6049dd19edde

  • SHA256

    5958de331a0caeb250569736c1e1d2634f0ed18526488f4ea55e7731b879c077

  • SHA512

    cd8018e07e8347806140efa2d1859ffa330a629e942eddddb321d30a22646b936c7e64006426481a6083099ce2507f20533bb4abef05315e0ac11cde8ce01370

  • SSDEEP

    12288:eDv0SxNm1rC5X3NCPYC1zdIIXGo2FwM04sGNn/lBij2l0/eGRYpyuD8Iy/Je/XCr:CMKcZAXdCPYyIbo2t04sGNn/lBij2l0z

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6331506862:AAEKFOHP1JKUDc0rSEqmiyzoaDWsXo8zqs4/sendMessage?chat_id=932962718

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      663KB

    • MD5

      1aa0c36d4fb2ac79a6cb902da1cdf21c

    • SHA1

      e539ad8f06b90105cafd5ce497be6049dd19edde

    • SHA256

      5958de331a0caeb250569736c1e1d2634f0ed18526488f4ea55e7731b879c077

    • SHA512

      cd8018e07e8347806140efa2d1859ffa330a629e942eddddb321d30a22646b936c7e64006426481a6083099ce2507f20533bb4abef05315e0ac11cde8ce01370

    • SSDEEP

      12288:eDv0SxNm1rC5X3NCPYC1zdIIXGo2FwM04sGNn/lBij2l0/eGRYpyuD8Iy/Je/XCr:CMKcZAXdCPYyIbo2t04sGNn/lBij2l0z

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks