General

  • Target

    05.12.2023_tahsil_senedi_bilgileri.xls.exe

  • Size

    681KB

  • Sample

    231205-hvcj5saa32

  • MD5

    3270695f929b3f2499f9f56d76c9b08f

  • SHA1

    32e75a939b0ae09a898339004afa4bbeb3ce6d68

  • SHA256

    c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19

  • SHA512

    23360736cdda1b3cd4cf07046936f512d3ab9c50c47422f1e7d3e689ad5143ef450ea8b3f0660c38a892c6191023b16b731c559ed11b3104e74b60f8986110f5

  • SSDEEP

    12288:Xy7KE6jD/62iNG5nF8rmi9VEsqhzUoo3j3D829wV1wIctP/T:X6KtD/61IGzEsGInjwV1wFtX

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ozakaluminyum.com
  • Port:
    587
  • Username:
    bilgi@ozakaluminyum.com
  • Password:
    ETKghx*c3KoQ

Targets

    • Target

      05.12.2023_tahsil_senedi_bilgileri.xls.exe

    • Size

      681KB

    • MD5

      3270695f929b3f2499f9f56d76c9b08f

    • SHA1

      32e75a939b0ae09a898339004afa4bbeb3ce6d68

    • SHA256

      c7c0a22744179c319910d7c9508866ebfc6d35beeee844b8462bab9c04af4b19

    • SHA512

      23360736cdda1b3cd4cf07046936f512d3ab9c50c47422f1e7d3e689ad5143ef450ea8b3f0660c38a892c6191023b16b731c559ed11b3104e74b60f8986110f5

    • SSDEEP

      12288:Xy7KE6jD/62iNG5nF8rmi9VEsqhzUoo3j3D829wV1wIctP/T:X6KtD/61IGzEsGInjwV1wFtX

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks