General

  • Target

    DHL AWB 5016240032.gz

  • Size

    526KB

  • Sample

    230718-s5hh9abg55

  • MD5

    f99ba468bf9d068ddc933d3762ec34cf

  • SHA1

    d59046000f4e7126a360387fc258e653bd8b2f55

  • SHA256

    44c2ecca7d95e0a44889ef4fdad8c048ee463919b386ad6a09a39693bb11a225

  • SHA512

    442892fc8300744ad4a4127105d3022062f55ad89d1d06a43dafd0f0a993a14b7c3e8b3c7d11ca343661182ea4ef0e7cb96c5f8da995b23bb62b42be1c5a191e

  • SSDEEP

    12288:MxVpEaLpTC7vlo2/NVMUZ71xpRM3LIfcfNQCsdqOSrQ+Zw9H9A0ObNblQw:w4EpKvl9Dh1zgIfFpqm+yh9qbNlv

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      DHL AWB 5016240032.exe

    • Size

      572KB

    • MD5

      92116c2a95014e01082aecf0be665235

    • SHA1

      86c6e4262292efcaf5d340440a3d33e90911320b

    • SHA256

      810321f2b71adcaa676f764693491d2080735c29e509b2a546e32212a2c83ee1

    • SHA512

      dcb9a77be569fcfa47c4b082aa3c0346eb2c5943a66e5d56760e1a78f94fc182b1ae89bfdf0cc140a59e58276b54381bc85971449bdf7a6fb7a7cbaa1df11a44

    • SSDEEP

      12288:CmAY2kcdbL4EfmAGHmOxVtPOJDkirPITrdDWezLws:LN6GEfgOJLzITrF5E

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks