General

  • Target

    Gsoclhmbn.exe

  • Size

    31KB

  • Sample

    230721-gkfy5sch3w

  • MD5

    cff7a757c7546ed630d63f863cbac4c5

  • SHA1

    9a6fa9c033c0f6c0dbe4695210e63f72d60c4950

  • SHA256

    e0f99651e49f6c8aa666a1847674bce2133a0d39e3e3e503f7159601ff02ff2d

  • SHA512

    82bced4b93e21b633aa98c241ca5495c7f457e6def65626e390fe5639f9aef7f05a57ddf444dd1b7f61905d1e3d91cf876b86285704abb2ff10bd34d7a30cfab

  • SSDEEP

    384:Ul1OhjCIuJyOoZsyZGtzoKx1tO5Iari+7gvJG3/:Q6eyZkc6O57YhGv

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6362226928:AAEy_YKrGOhDs-QKpzHM8bwWaBrcjSBTM4A/sendMessage?chat_id=6373691592

Targets

    • Target

      Gsoclhmbn.exe

    • Size

      31KB

    • MD5

      cff7a757c7546ed630d63f863cbac4c5

    • SHA1

      9a6fa9c033c0f6c0dbe4695210e63f72d60c4950

    • SHA256

      e0f99651e49f6c8aa666a1847674bce2133a0d39e3e3e503f7159601ff02ff2d

    • SHA512

      82bced4b93e21b633aa98c241ca5495c7f457e6def65626e390fe5639f9aef7f05a57ddf444dd1b7f61905d1e3d91cf876b86285704abb2ff10bd34d7a30cfab

    • SSDEEP

      384:Ul1OhjCIuJyOoZsyZGtzoKx1tO5Iari+7gvJG3/:Q6eyZkc6O57YhGv

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks