General

  • Target

    e04d08769ebf74aadda9a5ccf0320a06.exe

  • Size

    535KB

  • Sample

    230722-j9ll2aae5w

  • MD5

    e04d08769ebf74aadda9a5ccf0320a06

  • SHA1

    388d60db3e07b5da6ae83174f11fd3e8db0bc615

  • SHA256

    bb4db999018838a8f0945dd26c3b38081a75035764fa58b88ff4e189003e340c

  • SHA512

    699fbf8f2a047a7622c8e30191145b99fe033404d3a4d0e17a7cdedc7e273b1185d8648e3dfb441f5c259c6916cacc1758574d2ead938d925643a6aa3082e0fe

  • SSDEEP

    12288:Cmw47/vuhQeNsV/GORK2ZjAUgadhKSrkr81J8LLeni:LheNyWOA/aa+kLLQi

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.acotur.com.ar
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bLeos!8ObM%A103

Targets

    • Target

      e04d08769ebf74aadda9a5ccf0320a06.exe

    • Size

      535KB

    • MD5

      e04d08769ebf74aadda9a5ccf0320a06

    • SHA1

      388d60db3e07b5da6ae83174f11fd3e8db0bc615

    • SHA256

      bb4db999018838a8f0945dd26c3b38081a75035764fa58b88ff4e189003e340c

    • SHA512

      699fbf8f2a047a7622c8e30191145b99fe033404d3a4d0e17a7cdedc7e273b1185d8648e3dfb441f5c259c6916cacc1758574d2ead938d925643a6aa3082e0fe

    • SSDEEP

      12288:Cmw47/vuhQeNsV/GORK2ZjAUgadhKSrkr81J8LLeni:LheNyWOA/aa+kLLQi

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks