General

  • Target

    dd368ffa260270c084b71839690763f08f5d184a98cf2967bed35bb3bc347505

  • Size

    707KB

  • Sample

    230721-trjptsfg81

  • MD5

    4c0bbe6fd4bdfd0733a66badb6602699

  • SHA1

    b0b9d106882aa35122bea0d1b8154872073462c0

  • SHA256

    dd368ffa260270c084b71839690763f08f5d184a98cf2967bed35bb3bc347505

  • SHA512

    ad2f023f76aa024f9a20afd067c38e648df36cfb5469f1f0fe89cc2a1bf621dd7a1c72e884ab136f09bdd0512336bbabc4a90e787025555f2076c0b870042d46

  • SSDEEP

    12288:mb/zXljS/9PGMlj6KYqOnGV0worUs1Ag9CACJ3aZKDOcNA5av+BjgAC7RI:mb/z1jgPGMdYqvrorUsXQAKZNA46jgP+

Malware Config

Targets

    • Target

      dd368ffa260270c084b71839690763f08f5d184a98cf2967bed35bb3bc347505

    • Size

      707KB

    • MD5

      4c0bbe6fd4bdfd0733a66badb6602699

    • SHA1

      b0b9d106882aa35122bea0d1b8154872073462c0

    • SHA256

      dd368ffa260270c084b71839690763f08f5d184a98cf2967bed35bb3bc347505

    • SHA512

      ad2f023f76aa024f9a20afd067c38e648df36cfb5469f1f0fe89cc2a1bf621dd7a1c72e884ab136f09bdd0512336bbabc4a90e787025555f2076c0b870042d46

    • SSDEEP

      12288:mb/zXljS/9PGMlj6KYqOnGV0worUs1Ag9CACJ3aZKDOcNA5av+BjgAC7RI:mb/z1jgPGMdYqvrorUsXQAKZNA46jgP+

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks