Overview

overview

10

Static

static

3

CITI USD10987 PI.exe

windows7-x64

10

CITI USD10987 PI.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CITI USD10987 PI.exe

  • Size

    925KB

  • Sample

    231012-clz17ahh6x

  • MD5

    6dd5b074dc21fc159a5e98c448dab3e5

  • SHA1

    9be431a3d0fb17e0d7b69c62d288a7b47804fd36

  • SHA256

    a5395961ee5eeddf2c81583e2eb11dafe8f8ebcc350204e0c8344e4d3e1614e6

  • SHA512

    bbd3ea1bbe5e44f04973389ca391eab78f456a673fee59bbeed8368462dbc5a819bd5c929f8e5103337e3beb82002aeca5bc80ff25d3741fbe46c05c74e909db

  • SSDEEP

    12288:8IOZByuDs0aOFF9EcBeK4cwyLO/uVvrvhytVJJbngUJo37DV4ELPr0MecveyyOGp:aoeeK4PmtuJUw4np3HLcp

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6576397218:AAGKDzpigihdpxoThh04ULC6usDNBiyjVcE/sendMessage?chat_id=5086753017

Targets

    • Target

      CITI USD10987 PI.exe

    • Size

      925KB

    • MD5

      6dd5b074dc21fc159a5e98c448dab3e5

    • SHA1

      9be431a3d0fb17e0d7b69c62d288a7b47804fd36

    • SHA256

      a5395961ee5eeddf2c81583e2eb11dafe8f8ebcc350204e0c8344e4d3e1614e6

    • SHA512

      bbd3ea1bbe5e44f04973389ca391eab78f456a673fee59bbeed8368462dbc5a819bd5c929f8e5103337e3beb82002aeca5bc80ff25d3741fbe46c05c74e909db

    • SSDEEP

      12288:8IOZByuDs0aOFF9EcBeK4cwyLO/uVvrvhytVJJbngUJo37DV4ELPr0MecveyyOGp:aoeeK4PmtuJUw4np3HLcp

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks