General

  • Target

    Hahza.exe

  • Size

    10KB

  • Sample

    230802-kpv6eaeg9s

  • MD5

    b1553384deba6a98d1a0caa98468d0ee

  • SHA1

    f63e052ba7f25077d625f841241e2d2aa1ea7011

  • SHA256

    37840987b437459b8f5774cfd36eb5a271c61808ccfa5e4aa63b005db127f71a

  • SHA512

    807f89794347adbc82dac585656c62db9e0fd924e83ff7fffc28cd9f5f18c0859fbbc5c07c599fa41e40acd04bcb70651bd43714ffaf84b3c4a93bc7eba613a6

  • SSDEEP

    96:JG/woST6RfWsr/Kk+M1k4XpCiwe5KhBC14P3R8jleB/TA2ezNt:J6RfWsjv+M1k4XFw0Kva4P3Slc/R4

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6631000928:AAFiCjddpMvTQX5-pktE-_9Ryd2LS01DYeE/sendMessage?chat_id=5716598986

Targets

    • Target

      Hahza.exe

    • Size

      10KB

    • MD5

      b1553384deba6a98d1a0caa98468d0ee

    • SHA1

      f63e052ba7f25077d625f841241e2d2aa1ea7011

    • SHA256

      37840987b437459b8f5774cfd36eb5a271c61808ccfa5e4aa63b005db127f71a

    • SHA512

      807f89794347adbc82dac585656c62db9e0fd924e83ff7fffc28cd9f5f18c0859fbbc5c07c599fa41e40acd04bcb70651bd43714ffaf84b3c4a93bc7eba613a6

    • SSDEEP

      96:JG/woST6RfWsr/Kk+M1k4XpCiwe5KhBC14P3R8jleB/TA2ezNt:J6RfWsjv+M1k4XFw0Kva4P3Slc/R4

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks