General

  • Target

    Cotizacion ##5033900.iso

  • Size

    684KB

  • Sample

    230721-pszp8afb6y

  • MD5

    4faa1a50d63c1b6b1878f2780a8ff7a0

  • SHA1

    11f15e7af6f444a0d76fb3e516c5342b91ade497

  • SHA256

    63b0fdf34c01deb87491b7f0e404da802211ee177c557b523a62ab42dcde9535

  • SHA512

    2a09f08722b95760d3c9108e4bafca5cc57de60d0e917860e979a97a949a435b820e71fee3f25fa9d713f3b27a8330e29ccdadaeca6452a58c011a59c3b8d7e7

  • SSDEEP

    12288:OWc/bUYIsYolnr8+HrF2pJSlghtqle1De7wubknDIlLS6YfiYh:ViXrYoxHrF2pLql2IwubDsa

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mtbooks.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ^QGUcHQjx3

Targets

    • Target

      Cotizacion ##5033900.exe

    • Size

      623KB

    • MD5

      e5e34926801d009fd9345c1221cf61d1

    • SHA1

      00dc97afe9b99f0f4c9c6be374ac0a82958028fd

    • SHA256

      fd36434871eb55ee3d9f78ee0fd63f26c915f8d5a7d3848ef6ffddcac75893cc

    • SHA512

      b7c2d2e7194d2a798abdf6e93f6fd1ded8f01261c35cd474c01684f7a10a791dcbd09625b094c2a8ac2f8b458754f1a8e2e52954de07a187425483b88755df91

    • SSDEEP

      12288:2Wc/bUYIsYolnr8+HrF2pJSlghtqle1De7wubknDIlLS6YfiYh:diXrYoxHrF2pLql2IwubDsa

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks