General

  • Target

    BBVA.exe

  • Size

    754KB

  • Sample

    230722-j9ll2aaa63

  • MD5

    234b4926590cedf9517347b6c8d02afc

  • SHA1

    3de64f470833a28906cb1c03bb23dd844842831c

  • SHA256

    05ea84c903e4eb75d9defe3cd550ef0ee979086ade208e9cf84f5d80530820ce

  • SHA512

    f3e6473d23e2cb2a1c0347f92091296f0eae774758b84a8e53ecc9ec018c2f9f4f9295b52840be779544fbe2d448141b465ba84a0bf33a2bb318e95378d33659

  • SSDEEP

    12288:SO7c7DBL+8KXXB+yji5ao4BEfWgr2h1vUGfjHGtqBgSOVxO5qN:SO7S1L+8mBbmf4pR11uYgSSy

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      BBVA.exe

    • Size

      754KB

    • MD5

      234b4926590cedf9517347b6c8d02afc

    • SHA1

      3de64f470833a28906cb1c03bb23dd844842831c

    • SHA256

      05ea84c903e4eb75d9defe3cd550ef0ee979086ade208e9cf84f5d80530820ce

    • SHA512

      f3e6473d23e2cb2a1c0347f92091296f0eae774758b84a8e53ecc9ec018c2f9f4f9295b52840be779544fbe2d448141b465ba84a0bf33a2bb318e95378d33659

    • SSDEEP

      12288:SO7c7DBL+8KXXB+yji5ao4BEfWgr2h1vUGfjHGtqBgSOVxO5qN:SO7S1L+8mBbmf4pR11uYgSSy

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks