General

  • Target

    D67245B7BC0376A9AE316A37EFEC49BEB7FD2FB0BD5091BD4BB7BF2B1A12A48F

  • Size

    537KB

  • Sample

    230718-zkjn5sdh42

  • MD5

    2cf5b5277cefa2fb2d0def8029888908

  • SHA1

    4a3ac95c1b32423fd75585556c06e0ca6031b7cf

  • SHA256

    d67245b7bc0376a9ae316a37efec49beb7fd2fb0bd5091bd4bb7bf2b1a12a48f

  • SHA512

    e98c7bfd106227215c26de1f249e3b2bafab7a1e2b624dae75886bea9eeac67205d7ef7aeebaab7bdfa4224039662bdf22261bf9d66c8220280502438d12af5a

  • SSDEEP

    12288:Sq7EJX/vWs3BqM+vySCshgndNX7tUjawNYLa/zsL:Srh7xBi3CshgaGwNrrsL

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5738470399:AAEl1xY8CQoLfvnnvb8Ghc_dI459UJe2CS0/sendMessage?chat_id=6121826573

Targets

    • Target

      SWIFT.exe

    • Size

      589KB

    • MD5

      cfd9400788cec445ea903430947b8ea4

    • SHA1

      f5bf509cda1d41c193cd9ee91f55be8330216804

    • SHA256

      aff17251d8ef67ff476b07d1b446389d6cef3f87179403904f6f55ce5e948c11

    • SHA512

      67bcfb4f93158d1836c1646270b072f71b20067ee3f071c45824762101b7a72de8907f0823c829c9534abd7447118fa088421e18df692f5bb4ef015dbd6d63a1

    • SSDEEP

      12288:a92iNG4/mNUAQHAZcK/LaHerukSjmWb6v2EdlCPs5Y7:81M4/QU/AsHwaHUM0Y

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks