General

  • Target

    122299dbd449798d5504153e36fff8916b5b9bf2895384d2105f67bd040a7eef

  • Size

    25KB

  • Sample

    230807-qhv5qagf8y

  • MD5

    443e65dba3478a9d5c182821daedbb24

  • SHA1

    293ca9c32b1dffbe0b7942cd32060bc51f5dab85

  • SHA256

    122299dbd449798d5504153e36fff8916b5b9bf2895384d2105f67bd040a7eef

  • SHA512

    8f627065a11d7c1bced0c420908f0e7bd9c89ab9651527dde5c03831f4c2af075d0fc0291370b18eef1e3a6fb406f8b83c87a53a20fa8741fa3f57e3508eea39

  • SSDEEP

    384:NxHFkRaejqyS7F6BCHZrEc9eNQ/ffLxhw2vWS2bRFAUjXhKWxwlJpq61Xabs2FGd:3YPwFjHZrXsGzxh1WNuKRZk72FGd

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot6248516913:AAGz2X7ZTTfP93otYJpsEGv_HscIKLPpAYY/sendMessage?chat_id=1467583453

Targets

    • Target

      122299dbd449798d5504153e36fff8916b5b9bf2895384d2105f67bd040a7eef

    • Size

      25KB

    • MD5

      443e65dba3478a9d5c182821daedbb24

    • SHA1

      293ca9c32b1dffbe0b7942cd32060bc51f5dab85

    • SHA256

      122299dbd449798d5504153e36fff8916b5b9bf2895384d2105f67bd040a7eef

    • SHA512

      8f627065a11d7c1bced0c420908f0e7bd9c89ab9651527dde5c03831f4c2af075d0fc0291370b18eef1e3a6fb406f8b83c87a53a20fa8741fa3f57e3508eea39

    • SSDEEP

      384:NxHFkRaejqyS7F6BCHZrEc9eNQ/ffLxhw2vWS2bRFAUjXhKWxwlJpq61Xabs2FGd:3YPwFjHZrXsGzxh1WNuKRZk72FGd

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks