General

  • Target

    Request for Quote.dox.gz

  • Size

    524KB

  • Sample

    240125-vw9mgsbed2

  • MD5

    08a13c690575264c80eb176672fa3f1a

  • SHA1

    c9f315cc2d5a9be126d3482945ba47afcbb1e6df

  • SHA256

    32ed665c77f852b165bdd6aef61b0834bf6f79e5f38e6d2f6a07d52c910dccb5

  • SHA512

    417195bcef1ec71ed9ead62a84fc3606ea100d4d6d14a33047f9906633013f10749e8223697ab4bf20a0294028bc115090667ac6dd915bde7eb07d2a205e2765

  • SSDEEP

    12288:f8H5Lk70LXjVOTUh+vQfegtXtTZ8NQlUA/uMmPq:f8ZLk70LiIntTOKPeq

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.efsmanpower.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Zion#2018

Targets

    • Target

      Request for Quote.dox.exe

    • Size

      915KB

    • MD5

      133fe057686ada7d4e07500c6fca8072

    • SHA1

      c7fcd044a6f2e1daf9ef68c500d36e49dd814dbc

    • SHA256

      0d9482728211478fca475c41feb82fc18040801f2ac7210e0bd83491ce1f39cb

    • SHA512

      e1897d719d30dcb9b70ab08eccc12d46803ba486d2718c1ceea3741f830e734e13d11bcdff4e7d4c45df74f2c34b9d557dd2370901031c055be3c57419b6bb9d

    • SSDEEP

      12288:swmi0C0e6DjNG1qR0YdgYwegIdNf7lh124bJ80rQ:Z0R/TJLf7jJ

    • Kinsing

      Kinsing is a loader written in Golang.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks