General

  • Target

    854F1E97-5BDD-4A87-A566-33B9012D08E2 pdf.exe

  • Size

    662KB

  • Sample

    230807-qjcprsfd72

  • MD5

    c117d5b5834bd2624b405d473c86a963

  • SHA1

    927d62af4996de5729869bc50b571e2a8cc5fff0

  • SHA256

    19663c25e9873f288152b6a990f0e1d315b7d076d4c62d1d184961d7232f94e5

  • SHA512

    f7088bc086487ece04f67b64010135dff5a6570b66746312bff58220b81ec313a827500b83fd275217df18e3763afe3aa6bf7b6d661932d5f99c013581c9433e

  • SSDEEP

    12288:8ep7sHEkolwsdvh82e1suhPTg40xjl6l2GRwLfQ9c:aZovhdDA8jxjl6RnS

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6400401861:AAHzywDQVA6oWh8Aa9-h_qQEJJmgrfSwFvM/sendMessage?chat_id=1467583453

Targets

    • Target

      854F1E97-5BDD-4A87-A566-33B9012D08E2 pdf.exe

    • Size

      662KB

    • MD5

      c117d5b5834bd2624b405d473c86a963

    • SHA1

      927d62af4996de5729869bc50b571e2a8cc5fff0

    • SHA256

      19663c25e9873f288152b6a990f0e1d315b7d076d4c62d1d184961d7232f94e5

    • SHA512

      f7088bc086487ece04f67b64010135dff5a6570b66746312bff58220b81ec313a827500b83fd275217df18e3763afe3aa6bf7b6d661932d5f99c013581c9433e

    • SSDEEP

      12288:8ep7sHEkolwsdvh82e1suhPTg40xjl6l2GRwLfQ9c:aZovhdDA8jxjl6RnS

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks