General

  • Target

    Profoma Invoice.exe

  • Size

    573KB

  • Sample

    230721-gjk7gacb84

  • MD5

    32066cad8da6902c0310d21a62b94357

  • SHA1

    d43059b280e581062b560888e0dc8e8ff1169453

  • SHA256

    f971bcac3dd8bf23d93da9098047772d5326366cd28dfea957acb7f7703dbde3

  • SHA512

    7a1ded686a891f1084b8939e42b8f11dae914c89e4b762868bdfcc86d28d0955a461a8024b4cdd3ae2bee917dc648d4dc4c70a53f4f8c5393d33ca8cb4f1626d

  • SSDEEP

    12288:mS6ln+flo/XciMvy3symu3sSTbaGcVpf4uyu4OJnliyFu:bTdCjEyPmu8SCGcVp4DKnwd

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.satnet.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    reve1563

Targets

    • Target

      Profoma Invoice.exe

    • Size

      573KB

    • MD5

      32066cad8da6902c0310d21a62b94357

    • SHA1

      d43059b280e581062b560888e0dc8e8ff1169453

    • SHA256

      f971bcac3dd8bf23d93da9098047772d5326366cd28dfea957acb7f7703dbde3

    • SHA512

      7a1ded686a891f1084b8939e42b8f11dae914c89e4b762868bdfcc86d28d0955a461a8024b4cdd3ae2bee917dc648d4dc4c70a53f4f8c5393d33ca8cb4f1626d

    • SSDEEP

      12288:mS6ln+flo/XciMvy3symu3sSTbaGcVpf4uyu4OJnliyFu:bTdCjEyPmu8SCGcVp4DKnwd

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks