General

  • Target

    791a8a2c3ba4e40f4f39139d7f30a00f

  • Size

    861KB

  • Sample

    240127-dh59gabha4

  • MD5

    791a8a2c3ba4e40f4f39139d7f30a00f

  • SHA1

    d5c65dee4aa562acc1806d734cc74c50d78b674f

  • SHA256

    728ef2a64a4d0f892eba9c91c7b3cda8d76adb093747a307277807782fb50d8c

  • SHA512

    3424abb634bd098d9a519284e103f7faa856a43007dab8cbe0930f6ee50e2d77f318fb821107f2fb632761016c1707c44b1d43edc803c49583ae2497016ec537

  • SSDEEP

    24576:mnoqWjnfp5bSZRoxIAcAyoUBEKcCm9bvjS:tqafptIUpe

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      DHL Notification-pdf.exe

    • Size

      1.2MB

    • MD5

      5228ecf840cf5bb8a37af32fdab81fe8

    • SHA1

      200dc5f0010ce6cc1e27be47f7772b84454794c6

    • SHA256

      9906d7c05680fc4b3e9c741e5c95d6c8acbd88f7ded4b451270cdfa7c8847c30

    • SHA512

      f709e9e3f5dc74e04c3ad30df96926781a095c29c469b04151d0b17a14fca7ca5167fd7c084ba05e2fdb2082bf45597f06c1449bae2facec1472cbb1a4bbb00b

    • SSDEEP

      24576:efOsBgo0q4wMiBmCmTOUd+L6kPXWKvjKcnta7IfdHjJ:eWoHM2mCm6Ud+zPXJjjntak5J

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks