General

  • Target

    invoice.pdf.z.exe

  • Size

    624KB

  • Sample

    230721-gh17asch2t

  • MD5

    81b9b82b55d384d8812d7a92cc0092b2

  • SHA1

    5edf5cd9b5ad2a6c1eb8c8ec493eb881e12225d4

  • SHA256

    62b09bf1931ef9545b10b0bae3eb45a9896fec6add45690ddf95074378e71528

  • SHA512

    4b483f7c0841257d6a002dbaa74c2c4a5ee20c06cea2804415b04424032f59e2de46410435917670b5d951559a043a29bf796dda189f0f14e814e011cc086208

  • SSDEEP

    12288:lWc/bUYIsYolnn4ZgILMRP5M2QGEG1AhjfXFDznQSR/hZHPv+:QiXrYoJ4ZfLWPeGp+pf9nXHxv

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.kovarviajes.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P4tt1kr

Targets

    • Target

      invoice.pdf.z.exe

    • Size

      624KB

    • MD5

      81b9b82b55d384d8812d7a92cc0092b2

    • SHA1

      5edf5cd9b5ad2a6c1eb8c8ec493eb881e12225d4

    • SHA256

      62b09bf1931ef9545b10b0bae3eb45a9896fec6add45690ddf95074378e71528

    • SHA512

      4b483f7c0841257d6a002dbaa74c2c4a5ee20c06cea2804415b04424032f59e2de46410435917670b5d951559a043a29bf796dda189f0f14e814e011cc086208

    • SSDEEP

      12288:lWc/bUYIsYolnn4ZgILMRP5M2QGEG1AhjfXFDznQSR/hZHPv+:QiXrYoJ4ZfLWPeGp+pf9nXHxv

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks