General

  • Target

    SSM-1998.exe

  • Size

    852KB

  • Sample

    230731-hjmwqsda48

  • MD5

    e7dd9499e3d6870e42828b4eeed3d81c

  • SHA1

    0245bbf3c2e5169fbeaef1ae56f1e80a70360e75

  • SHA256

    d00f8dee3e81decbb37ef2651c88d3ba46a959d5bfe1d71fc17afd8b4704b4bd

  • SHA512

    983585d297f788eae4db092cbb56d79c8918cd5212f67d7a4b96b9db3eb08f19fc3e8744e7ac46ea7afc6f8723e9ff8dbe9abc762ef2528ca776b8a48119d205

  • SSDEEP

    12288:5i4svoOVWtlmiObEWInEKB2zYiW50813Cjg:sBoOKmiOYWML4YiWiK3Cjg

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      SSM-1998.exe

    • Size

      852KB

    • MD5

      e7dd9499e3d6870e42828b4eeed3d81c

    • SHA1

      0245bbf3c2e5169fbeaef1ae56f1e80a70360e75

    • SHA256

      d00f8dee3e81decbb37ef2651c88d3ba46a959d5bfe1d71fc17afd8b4704b4bd

    • SHA512

      983585d297f788eae4db092cbb56d79c8918cd5212f67d7a4b96b9db3eb08f19fc3e8744e7ac46ea7afc6f8723e9ff8dbe9abc762ef2528ca776b8a48119d205

    • SSDEEP

      12288:5i4svoOVWtlmiObEWInEKB2zYiW50813Cjg:sBoOKmiOYWML4YiWiK3Cjg

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks