General

  • Target

    New Product Order_2107023.exe

  • Size

    949KB

  • Sample

    230721-gh1wjacb77

  • MD5

    bc0446ee61e4e000a3c3f0263c2ce4e4

  • SHA1

    4764ec8e266944c3091e7f6daab5bc11918d2ddb

  • SHA256

    cc3ae962162b5cf702ea0fb30b2279949d33eed2f0330fcde7714d479b140b36

  • SHA512

    cfd3330fd903bafffea8b496e80d50850fce02a10ada8519c217a9475050b64f893a5daaa91cddd7c6e6aeb19a0a393bff1743b25546e06639bf121b0feada1b

  • SSDEEP

    12288:4BuXmm/rCt2MYba5ql+0X7eqVUq5RPtyOjX6Box5toZGc6:QAmm/r1rLXyqVv31yaJc

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.icdanismanlik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Emre2010!

Targets

    • Target

      New Product Order_2107023.exe

    • Size

      949KB

    • MD5

      bc0446ee61e4e000a3c3f0263c2ce4e4

    • SHA1

      4764ec8e266944c3091e7f6daab5bc11918d2ddb

    • SHA256

      cc3ae962162b5cf702ea0fb30b2279949d33eed2f0330fcde7714d479b140b36

    • SHA512

      cfd3330fd903bafffea8b496e80d50850fce02a10ada8519c217a9475050b64f893a5daaa91cddd7c6e6aeb19a0a393bff1743b25546e06639bf121b0feada1b

    • SSDEEP

      12288:4BuXmm/rCt2MYba5ql+0X7eqVUq5RPtyOjX6Box5toZGc6:QAmm/r1rLXyqVv31yaJc

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks