General

  • Target

    Siparis 02.08.023.exe

  • Size

    640KB

  • Sample

    230802-g4bhrsdb82

  • MD5

    08a2328781ea1a31a981c4474c0d097d

  • SHA1

    2eb7fbf701e8739c80ff27134a67eb6fee6bf4c0

  • SHA256

    3331e4358de7df247634699487afe492edf9af859cd588304ce9f0c6cb542cc3

  • SHA512

    8de6f3abee3d6e01d6b70cc214f7f60e518dbf7e45770b8e916d1d92bc020561f597bc6e50664f28b62c8607813f6f94e0cf9282f3d25b78969e35f4647aa5cc

  • SSDEEP

    12288:S5MY96e21JbOD5fzTmzqLLb7p8tRLPT9pDF/U:S66v2LbOlfzqGP7YLPT9pDFU

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.icdanismanlik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Emre2010!

Targets

    • Target

      Siparis 02.08.023.exe

    • Size

      640KB

    • MD5

      08a2328781ea1a31a981c4474c0d097d

    • SHA1

      2eb7fbf701e8739c80ff27134a67eb6fee6bf4c0

    • SHA256

      3331e4358de7df247634699487afe492edf9af859cd588304ce9f0c6cb542cc3

    • SHA512

      8de6f3abee3d6e01d6b70cc214f7f60e518dbf7e45770b8e916d1d92bc020561f597bc6e50664f28b62c8607813f6f94e0cf9282f3d25b78969e35f4647aa5cc

    • SSDEEP

      12288:S5MY96e21JbOD5fzTmzqLLb7p8tRLPT9pDF/U:S66v2LbOlfzqGP7YLPT9pDFU

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks