General

  • Target

    Hqwlldk.exe

  • Size

    97KB

  • Sample

    230801-mr866agd4z

  • MD5

    8dbf454882aafca6d75eca481004a34a

  • SHA1

    166da780c51f261719a6285ce5fe60e5e9ab36b2

  • SHA256

    06a9ec554700c23590c89a5281d875fb042e1f8f1ce0ba8615883a4529cbe84f

  • SHA512

    afdad43aa8e7f631a6326570cd3b707f4f2e884150d6f12925617396441f599e1959241e69a2d728d67b5f0dd2270c1bb518e0ea16cc77c7ebc26ba5f22e3e68

  • SSDEEP

    3072:VMjJiEI12mUEsP3MgBtyomYlVjTwbkQqr433F:VMjEEknUjP8g+omYlyRa

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6394594767:AAElUYlr27DCSn2gW1gOerQUXsMbyXdE9lY/sendMessage?chat_id=6373691592

Targets

    • Target

      Hqwlldk.exe

    • Size

      97KB

    • MD5

      8dbf454882aafca6d75eca481004a34a

    • SHA1

      166da780c51f261719a6285ce5fe60e5e9ab36b2

    • SHA256

      06a9ec554700c23590c89a5281d875fb042e1f8f1ce0ba8615883a4529cbe84f

    • SHA512

      afdad43aa8e7f631a6326570cd3b707f4f2e884150d6f12925617396441f599e1959241e69a2d728d67b5f0dd2270c1bb518e0ea16cc77c7ebc26ba5f22e3e68

    • SSDEEP

      3072:VMjJiEI12mUEsP3MgBtyomYlVjTwbkQqr433F:VMjEEknUjP8g+omYlyRa

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks