General

  • Target

    38e497ba967a7027611f38d868b02f7c004_JC.exe

  • Size

    590KB

  • Sample

    230729-nv4aradc51

  • MD5

    f30673ee0518982afd8b39dc2d9d5ae9

  • SHA1

    f0d0dc64ef073a4a2fa132f3e47877304fd34d1e

  • SHA256

    38e497ba967a7027611f38d868b02f7c00405cc0cde0500ee32a61103dddd4f4

  • SHA512

    0d9e5f6314caf2337044e074436adc0f3ec9f98476d88e373c8ed93c192247bbf48bcb5a5917e0d9a2e8f62ae0203f26608933859f0d4c3f01877f9ada1671da

  • SSDEEP

    12288:6bO57cZPwzlubFicMWIVsRjDrQLzFOhlXjmDy+bO5:MOZcZxQc/ZrQvFEoDyoO

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage?chat_id=5361285164

Targets

    • Target

      38e497ba967a7027611f38d868b02f7c004_JC.exe

    • Size

      590KB

    • MD5

      f30673ee0518982afd8b39dc2d9d5ae9

    • SHA1

      f0d0dc64ef073a4a2fa132f3e47877304fd34d1e

    • SHA256

      38e497ba967a7027611f38d868b02f7c00405cc0cde0500ee32a61103dddd4f4

    • SHA512

      0d9e5f6314caf2337044e074436adc0f3ec9f98476d88e373c8ed93c192247bbf48bcb5a5917e0d9a2e8f62ae0203f26608933859f0d4c3f01877f9ada1671da

    • SSDEEP

      12288:6bO57cZPwzlubFicMWIVsRjDrQLzFOhlXjmDy+bO5:MOZcZxQc/ZrQvFEoDyoO

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks