General

  • Target

    0DCEBAC995B4FD1BA9B04FB41F9D3F9884433C2DC4EF93FD5756D40633CD63C7

  • Size

    895KB

  • Sample

    230718-zjr9wsdg58

  • MD5

    9975350a5d5d6a0973cfdf09428991b2

  • SHA1

    6fb1820fc477331b369965573fc007a27d258fd8

  • SHA256

    0dcebac995b4fd1ba9b04fb41f9d3f9884433c2dc4ef93fd5756d40633cd63c7

  • SHA512

    b0e60cb09199587e64e7e9d6bc5919f5e26c6778a7ca0f49bfcfd19533f5fa845d1bc1f615ad79c4eda88b55c8b45287eb250c2b7861e605489c14b2e94ae9c2

  • SSDEEP

    24576:DhGTIdIMXtbcupg+qqs6GdSyGeNHnpXWTW6z:Dhi8FpFGdSfwnxWTW6z

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713

Targets

    • Target

      SWIFT TRANSFER.exe

    • Size

      1.0MB

    • MD5

      9e70755fa332d8cf4fdaf16845d53af0

    • SHA1

      2ac4d97546e0b65bd4a7155dd554209ba29e00ac

    • SHA256

      8ab395051b25a0711bdf0041c343d9a3de2a32b542ff3ee9aa1162c0e14ed28a

    • SHA512

      2dcb662d3e618c07ff2f273c9cf2b1a6cac91c68a0147aa2a305400f84b5abd76cddf4d8da14315c8f9683a87de21c3c6d64d35763a6dcea0f2ab19cf4ce2bfd

    • SSDEEP

      24576:NTbBv5rUan7Oq9evjU7syeVKN/5ivrWvg:HBj7Oq9eIgy0KN/5ivrig

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks