General

  • Target

    85769aadc4608e599612aeea1554436f1a3f0c2c4cf88c7a597b690061aeed6cexe_JC.exe

  • Size

    826KB

  • Sample

    230806-ntvxzshg88

  • MD5

    f19d85c4e2ff2da0acad772d2c9fc3fd

  • SHA1

    8ac325b48b211c0521a411d786ee2bfc0c8c3886

  • SHA256

    85769aadc4608e599612aeea1554436f1a3f0c2c4cf88c7a597b690061aeed6c

  • SHA512

    769e9afaeea926ba2c421f1fbbefda1435e02018d6da8371ef8446f6d2b4cf48448a36ab76c4ddebcd02c80a2ed8b23e8c74c678b0bea53e55abedc9c40494cf

  • SSDEEP

    12288:rEKaJvqAye0xf76gbWs3Y9rJTuY0/gVCrpdnCNKiq5E+8:CqtxRbXY99uY6goC0+

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6686619258:AAGtzpvFWTOm8FcEhveRVJyG4SlPLoGP3xc/sendMessage?chat_id=6465958501

Targets

    • Target

      85769aadc4608e599612aeea1554436f1a3f0c2c4cf88c7a597b690061aeed6cexe_JC.exe

    • Size

      826KB

    • MD5

      f19d85c4e2ff2da0acad772d2c9fc3fd

    • SHA1

      8ac325b48b211c0521a411d786ee2bfc0c8c3886

    • SHA256

      85769aadc4608e599612aeea1554436f1a3f0c2c4cf88c7a597b690061aeed6c

    • SHA512

      769e9afaeea926ba2c421f1fbbefda1435e02018d6da8371ef8446f6d2b4cf48448a36ab76c4ddebcd02c80a2ed8b23e8c74c678b0bea53e55abedc9c40494cf

    • SSDEEP

      12288:rEKaJvqAye0xf76gbWs3Y9rJTuY0/gVCrpdnCNKiq5E+8:CqtxRbXY99uY6goC0+

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks