General

  • Target

    DHL AWB 5016240033.exe

  • Size

    486KB

  • Sample

    230803-s5w2msdh98

  • MD5

    82c115af7f8d3ccac858d2665d546f7e

  • SHA1

    87ba605097a8718208d98c7728e790fa3df2b98f

  • SHA256

    62be48d55ce8452ccc11ebafef61b9229995eb863b4da994f5db249227f2045e

  • SHA512

    f75e495f864fc1fdc574ad6b5b5e90a9cd8119caa15b8cbbb8047f4619cd2cc0282cd11c0ecbb73d64744f643001f2a02fe5b942550c4ab9584b4db22d3704bc

  • SSDEEP

    12288:aq2Vp/eb830mMBGvvNrXg2lElnO4PzuwYy:b2Vl2ObJ3NrQzB

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      DHL AWB 5016240033.exe

    • Size

      486KB

    • MD5

      82c115af7f8d3ccac858d2665d546f7e

    • SHA1

      87ba605097a8718208d98c7728e790fa3df2b98f

    • SHA256

      62be48d55ce8452ccc11ebafef61b9229995eb863b4da994f5db249227f2045e

    • SHA512

      f75e495f864fc1fdc574ad6b5b5e90a9cd8119caa15b8cbbb8047f4619cd2cc0282cd11c0ecbb73d64744f643001f2a02fe5b942550c4ab9584b4db22d3704bc

    • SSDEEP

      12288:aq2Vp/eb830mMBGvvNrXg2lElnO4PzuwYy:b2Vl2ObJ3NrQzB

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks