General

  • Target

    4FBA75A354F32D24A339DC617BE69987DAB943DBB8073A763D9D264A91508F99

  • Size

    895KB

  • Sample

    230718-zjtgysee9t

  • MD5

    3dae42d2dd8c28fca59531c7248c9e38

  • SHA1

    a39c9246054e721e22fcfe6b16fa5f2b0208ab6a

  • SHA256

    4fba75a354f32d24a339dc617be69987dab943dbb8073a763d9d264a91508f99

  • SHA512

    94a4597f6669f51a1f4b7aab8faa162dd9019d45d8272a43318a331ac90b31bf45c460b335a30df520b0ba3b572978683175218a94b52f30b2adc28985a748cd

  • SSDEEP

    24576:UhGTIdIMXtbcupg+qqs6GdSyGeNHnpXWTW6A:Uhi8FpFGdSfwnxWTW6A

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713

Targets

    • Target

      evraklar.exe

    • Size

      1.0MB

    • MD5

      9e70755fa332d8cf4fdaf16845d53af0

    • SHA1

      2ac4d97546e0b65bd4a7155dd554209ba29e00ac

    • SHA256

      8ab395051b25a0711bdf0041c343d9a3de2a32b542ff3ee9aa1162c0e14ed28a

    • SHA512

      2dcb662d3e618c07ff2f273c9cf2b1a6cac91c68a0147aa2a305400f84b5abd76cddf4d8da14315c8f9683a87de21c3c6d64d35763a6dcea0f2ab19cf4ce2bfd

    • SSDEEP

      24576:NTbBv5rUan7Oq9evjU7syeVKN/5ivrWvg:HBj7Oq9eIgy0KN/5ivrig

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks