Overview

overview

10

Static

static

3

Inquiry Pa...10.scr

windows7-x64

1

Inquiry Pa...10.scr

windows10-2004-x64

10

RFQ-1199211.exe

windows7-x64

1

RFQ-1199211.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    092e78899a2d91e9aa768c1078e12016076a1384f9499f8dff5ec7471580794b

  • Size

    532KB

  • Sample

    231005-ec1x8sge6t

  • MD5

    44e0029af67e9d44f869cbaf2cafc051

  • SHA1

    2b7aaf9644a4bc485488b66a11483161519f1491

  • SHA256

    092e78899a2d91e9aa768c1078e12016076a1384f9499f8dff5ec7471580794b

  • SHA512

    b1fead7b6a793cb6d725f9f99d2aba6cafefe8557d7de75cf03e7122456c3f6b326307ab7fc1331b6f331a0446d53d41156130ad0522e7a670493325800eba33

  • SSDEEP

    12288:eZwjRZbqXCxT1AamV3FHmXXGPq880KpD+BmcIAFc3y5pN:eZwTOC6aK3tGXsCCAwFc3UpN

Score
10/10
snakekeyloggercollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6037842610:AAGtFhP2ARfeZprQQ-fc4jocpQJfZYmE3Vo/sendMessage?chat_id=5086753017

Targets

    • Target

      Inquiry Parts 2023-10.scr

    • Size

      769KB

    • MD5

      5effabc97480cc8fb3cfa6833d20e5ef

    • SHA1

      168c4247f596a89f73b081b20e214a74feed0109

    • SHA256

      18984ef29316e8b0ca4423e4f17418b23ec54e91bb7809ea5f840d03b618d987

    • SHA512

      fa77e8e1e805a98e46773b3a2b2301bff80134bfb764d8cc4b1b1563ec3ab964a82ae519582288c5f9e556d0964ae9c1c8c50c5d564be6581dc5091f757eb6bd

    • SSDEEP

      12288:CRvAblxM/xBzcFyHcJNdWfpuL19aoI+39k68:CRYbnM/Xzc3Nmpaz++h8

    Score
    10/10
    snakekeyloggerkeyloggerpersistencestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      RFQ-1199211.exe

    • Size

      768KB

    • MD5

      21724c44495555e825f87cfc2b119bcf

    • SHA1

      ea70f6fbebbb74a5c5b5b204136877b441f72da0

    • SHA256

      8f86f0d30b96a4ffaf93e9726caefeaece8d3298534422fb5c5337ad8620ee59

    • SHA512

      009c7fce795a64657244a7b581d58ed161360f29e4c8bdd5a5d6d395604d611f15504cefdb0944372aa0bb9f3a0d134bd4d869877c1e0c5d70efd2074a7a5d9a

    • SSDEEP

      12288:fkXrDAYOu6LykBv6iWCj6SUptA8ghXDyQZE6+n889c4NcaiTWOo:fkfAQdkBj6S+GXmJGUcailo

    Score
    10/10
    snakekeyloggercollectionkeyloggerpersistencespywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks