General

  • Target

    Factura_231148 pdf.exe

  • Size

    574KB

  • Sample

    230721-gh17ascb78

  • MD5

    beed5338f8123aabbcece5bbd78df8ab

  • SHA1

    03835af11104c6a808a0ce579ee70a2c7708ac95

  • SHA256

    d69bc8ffc72d96bb22010de1922d88a55c184962abed3dd9f409111ca083cfaf

  • SHA512

    82dbb764a9d813039c1bb19ff4adc294d431fcd082c8ee39d052b152b06e285fbf3fb1bf762560d83f16d53c531430fc34ece05191f0aa73fc304aa83caff8c6

  • SSDEEP

    12288:aS6ln+flo/XciMvJdRMmFZa4aI6aA93pPJUgJiIYK2YNHn:vTdCjEJLfkVIapPvJi+pp

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Factura_231148 pdf.exe

    • Size

      574KB

    • MD5

      beed5338f8123aabbcece5bbd78df8ab

    • SHA1

      03835af11104c6a808a0ce579ee70a2c7708ac95

    • SHA256

      d69bc8ffc72d96bb22010de1922d88a55c184962abed3dd9f409111ca083cfaf

    • SHA512

      82dbb764a9d813039c1bb19ff4adc294d431fcd082c8ee39d052b152b06e285fbf3fb1bf762560d83f16d53c531430fc34ece05191f0aa73fc304aa83caff8c6

    • SSDEEP

      12288:aS6ln+flo/XciMvJdRMmFZa4aI6aA93pPJUgJiIYK2YNHn:vTdCjEJLfkVIapPvJi+pp

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks