General

  • Target

    xveXYcYoRA9ESLn.exe

  • Size

    643KB

  • Sample

    230802-kqe6kseg91

  • MD5

    6347fb31f9109c673ad871a53592aa05

  • SHA1

    e27fcd68f9a792b338243354c758beea0e5699b8

  • SHA256

    afcf2d75de98e641cb9555de188660470893d84e4c22577cd56f947e5a54223a

  • SHA512

    50f54f1680baf1a4d354fc789427a535e6016dded9340d27595908defcf68e052331a16d508d974e913ca6e120b27c8649869f450be3f36b603fa69ddc78e1cf

  • SSDEEP

    12288:15MYIRXDdvSRkM15dSe01rrG7F7Be7oyOH/ElayoBDef3TMMMDMMM:16FRXxvSRkMJArylB4oyc/ElaZefTMM7

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6454328840:AAFhLVGRU2auzr2_1A08UAoSV1INpU42j7g/sendMessage?chat_id=6315669338

Targets

    • Target

      xveXYcYoRA9ESLn.exe

    • Size

      643KB

    • MD5

      6347fb31f9109c673ad871a53592aa05

    • SHA1

      e27fcd68f9a792b338243354c758beea0e5699b8

    • SHA256

      afcf2d75de98e641cb9555de188660470893d84e4c22577cd56f947e5a54223a

    • SHA512

      50f54f1680baf1a4d354fc789427a535e6016dded9340d27595908defcf68e052331a16d508d974e913ca6e120b27c8649869f450be3f36b603fa69ddc78e1cf

    • SSDEEP

      12288:15MYIRXDdvSRkM15dSe01rrG7F7Be7oyOH/ElayoBDef3TMMMDMMM:16FRXxvSRkMJArylB4oyc/ElaZefTMM7

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks