General

  • Target

    9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8

  • Size

    577KB

  • Sample

    230808-pjdrdscd72

  • MD5

    87e8c813255d7a8768b98765cdcfed67

  • SHA1

    1613953ba8a07e11e89ed77c28afe58d872891bb

  • SHA256

    9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8

  • SHA512

    0b415ca68d1f44ca9c45102e7141e117ad9dbb1eda3cc21c75eec9b33897d21ee2ddd3d0e66b0b23eff1a6aabadd3d56bee64939b65170e942e5498cb77c744e

  • SSDEEP

    12288:25LbzIu9+r9GJ+iyhAGkFuT/r2GGjerRWvEF8xLCnysHu:25LA9IvGTqY/XueosF8xoy9

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5830566856:AAGWFy9uABhntGSW37Ll1sdhis_3Sq_arBM/sendMessage?chat_id=1467583453

Targets

    • Target

      9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8

    • Size

      577KB

    • MD5

      87e8c813255d7a8768b98765cdcfed67

    • SHA1

      1613953ba8a07e11e89ed77c28afe58d872891bb

    • SHA256

      9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8

    • SHA512

      0b415ca68d1f44ca9c45102e7141e117ad9dbb1eda3cc21c75eec9b33897d21ee2ddd3d0e66b0b23eff1a6aabadd3d56bee64939b65170e942e5498cb77c744e

    • SSDEEP

      12288:25LbzIu9+r9GJ+iyhAGkFuT/r2GGjerRWvEF8xLCnysHu:25LA9IvGTqY/XueosF8xoy9

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks