General

  • Target

    854F1H97-5BBB-4A87-A566-33K9012B05H2 pdf.exe

  • Size

    8KB

  • Sample

    230721-gjk7gach3s

  • MD5

    6876e36084c868dc15bf9f6c98b8deaa

  • SHA1

    c638d5f0851a10326cb6a2c3edf962ff8bff4327

  • SHA256

    59b39ac91fde9a9c8fb93e0e84c4105df60fee2ca887b8b7bbfdf6666c1935d5

  • SHA512

    4d0b2fd46785ee3983d95972774c25e391e84074881b68f6ca3ae971fd610aa65b06aa18528190a7f079e1e4c2ce8dcf9d8a2b012521fa4f65724c4492964ead

  • SSDEEP

    96:GnSdViERWisyvnhq8k4aLyWTQI0Bu3bHffn3HeCGDMRqeDD1DuBzNt:KMiUoyvhq8k4I5h3eJUDD1DuD

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot6248516913:AAGz2X7ZTTfP93otYJpsEGv_HscIKLPpAYY/sendMessage?chat_id=1467583453

Targets

    • Target

      854F1H97-5BBB-4A87-A566-33K9012B05H2 pdf.exe

    • Size

      8KB

    • MD5

      6876e36084c868dc15bf9f6c98b8deaa

    • SHA1

      c638d5f0851a10326cb6a2c3edf962ff8bff4327

    • SHA256

      59b39ac91fde9a9c8fb93e0e84c4105df60fee2ca887b8b7bbfdf6666c1935d5

    • SHA512

      4d0b2fd46785ee3983d95972774c25e391e84074881b68f6ca3ae971fd610aa65b06aa18528190a7f079e1e4c2ce8dcf9d8a2b012521fa4f65724c4492964ead

    • SSDEEP

      96:GnSdViERWisyvnhq8k4aLyWTQI0Bu3bHffn3HeCGDMRqeDD1DuBzNt:KMiUoyvhq8k4I5h3eJUDD1DuD

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks