General

  • Target

    img_23721jpg.exe

  • Size

    751KB

  • Sample

    230722-j95d5sae5y

  • MD5

    a9c050ae19fcf43d9f35cca1f3ec4021

  • SHA1

    8c90121b330793aa5409ebfb56a47b2e6e0689ca

  • SHA256

    bf5e0325eb6371cde268e2798df868725f430a77a61a796694ea1ae7f66dbd89

  • SHA512

    603ad12b7f7578e78ff6665848d44f057de6a8d4449d3dfe576ab285787b333cf59cb343edc30b0262aff587c261cf88696702007a380c2592f6e8dfb22697e4

  • SSDEEP

    12288:hmigC31GkXEqjs0u1yrOnHcexDBuZaicSVLsTIaQ9ZOp53X3e0BRDkn:hmiBlGj06UucCDuJPxssSdVD

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6341476624:AAHzFzzvwwNKpL2Qi8FTrJZNi1BPeeeAdFA/sendMessage?chat_id=5607586384

Targets

    • Target

      img_23721jpg.exe

    • Size

      751KB

    • MD5

      a9c050ae19fcf43d9f35cca1f3ec4021

    • SHA1

      8c90121b330793aa5409ebfb56a47b2e6e0689ca

    • SHA256

      bf5e0325eb6371cde268e2798df868725f430a77a61a796694ea1ae7f66dbd89

    • SHA512

      603ad12b7f7578e78ff6665848d44f057de6a8d4449d3dfe576ab285787b333cf59cb343edc30b0262aff587c261cf88696702007a380c2592f6e8dfb22697e4

    • SSDEEP

      12288:hmigC31GkXEqjs0u1yrOnHcexDBuZaicSVLsTIaQ9ZOp53X3e0BRDkn:hmiBlGj06UucCDuJPxssSdVD

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks