General

  • Target

    contract.exe

  • Size

    570KB

  • Sample

    231205-vqc2bsdd99

  • MD5

    3c448192bfb521f123506e0a385eb6da

  • SHA1

    04de893d8e6adf340bae48b7b829398725a98208

  • SHA256

    db10e4331d6379d0f7c17f8c000b43a399621745526f1286f85ff3361d5299b9

  • SHA512

    b419879d15d50ac97c9b6f2fb7575a948815ca52fbff41bfd80a751d3d1500fddd009ea25c9f55e1c1843e4b32ae1ba5878de447cd40619dd2441439c81eccb0

  • SSDEEP

    12288:M397phPSx6aQH5nJUhUQ7uWZkceauwUeZeKBPNY4URAQmbCp:M39dlSgTKSQ7u+NrhUWeKBy

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mct2.co.za
  • Port:
    587
  • Username:
    user@mct2.co.za
  • Password:
    00000

Targets

    • Target

      contract.exe

    • Size

      570KB

    • MD5

      3c448192bfb521f123506e0a385eb6da

    • SHA1

      04de893d8e6adf340bae48b7b829398725a98208

    • SHA256

      db10e4331d6379d0f7c17f8c000b43a399621745526f1286f85ff3361d5299b9

    • SHA512

      b419879d15d50ac97c9b6f2fb7575a948815ca52fbff41bfd80a751d3d1500fddd009ea25c9f55e1c1843e4b32ae1ba5878de447cd40619dd2441439c81eccb0

    • SSDEEP

      12288:M397phPSx6aQH5nJUhUQ7uWZkceauwUeZeKBPNY4URAQmbCp:M39dlSgTKSQ7u+NrhUWeKBy

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks