General

  • Target

    Ayuaey.exe

  • Size

    661KB

  • Sample

    230807-qjcprsfd68

  • MD5

    88558239003de10b2342502825ed5d8f

  • SHA1

    9f41c6501d79aa62d74d503497fd9d4d8fdbc320

  • SHA256

    2d397c3b96952610182b2f157200c188b1f816689dda18ab175b813108acce13

  • SHA512

    b4cad296cd4cc8788b75b6785b3b0644fdcc3f73300dd6e63e26504e14a05c6e31acc512fb75399038ac3ab1fd033d873483be3604275b17dbac704563925d9a

  • SSDEEP

    12288:GpSFXvfq9PrHrTUA2IAWSMgJvjl6l2GRwLfQ9:CSFXvfqt3AbXRjl6Rn

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6312134911:AAEpy-chTluU2BKpH7SOV4jFqoRrZrAO-mQ/sendMessage?chat_id=6373691592

Targets

    • Target

      Ayuaey.exe

    • Size

      661KB

    • MD5

      88558239003de10b2342502825ed5d8f

    • SHA1

      9f41c6501d79aa62d74d503497fd9d4d8fdbc320

    • SHA256

      2d397c3b96952610182b2f157200c188b1f816689dda18ab175b813108acce13

    • SHA512

      b4cad296cd4cc8788b75b6785b3b0644fdcc3f73300dd6e63e26504e14a05c6e31acc512fb75399038ac3ab1fd033d873483be3604275b17dbac704563925d9a

    • SSDEEP

      12288:GpSFXvfq9PrHrTUA2IAWSMgJvjl6l2GRwLfQ9:CSFXvfqt3AbXRjl6Rn

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks