General

  • Target

    be1c3157dae47377644ac3bc9fcb301be2365769b69a8282ad71181f05eaee4dexe.exe

  • Size

    717KB

  • Sample

    231205-wrnd5adf8v

  • MD5

    411ee6022b7005ae8e76057377a9a183

  • SHA1

    eda32fd2a813c8539ddaf4f30e99cf215a6f0139

  • SHA256

    be1c3157dae47377644ac3bc9fcb301be2365769b69a8282ad71181f05eaee4d

  • SHA512

    a86976d582f585c54e9e83863ce3eb91f87a241e0fc3681ecd9a813d5a89c22347c17d32c6f0c985969c66d5328bc6e08c5fb763ec9442cd56c3baf42905d95c

  • SSDEEP

    12288:mfYNr4RDzxP45+po2OAaY9sTtKN+bwLfFN2OuNpEbbaUq+Zb:Izk+pJOO9sZo3Pt+WbbNq+t

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bhojwanindia.com
  • Port:
    587
  • Username:
    admin@bhojwanindia.com
  • Password:
    bombayoffice123

Targets

    • Target

      be1c3157dae47377644ac3bc9fcb301be2365769b69a8282ad71181f05eaee4dexe.exe

    • Size

      717KB

    • MD5

      411ee6022b7005ae8e76057377a9a183

    • SHA1

      eda32fd2a813c8539ddaf4f30e99cf215a6f0139

    • SHA256

      be1c3157dae47377644ac3bc9fcb301be2365769b69a8282ad71181f05eaee4d

    • SHA512

      a86976d582f585c54e9e83863ce3eb91f87a241e0fc3681ecd9a813d5a89c22347c17d32c6f0c985969c66d5328bc6e08c5fb763ec9442cd56c3baf42905d95c

    • SSDEEP

      12288:mfYNr4RDzxP45+po2OAaY9sTtKN+bwLfFN2OuNpEbbaUq+Zb:Izk+pJOO9sZo3Pt+WbbNq+t

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks