General

  • Target

    7ae596e4adf76beb30ebb960dee5bf60

  • Size

    762KB

  • Sample

    240127-wjnd6ahbe8

  • MD5

    7ae596e4adf76beb30ebb960dee5bf60

  • SHA1

    b401672a55519e7ae28d5f58f31e1267bb5300cf

  • SHA256

    ca6331b3a8e19b15ccc097bb4a6648bfa94136134c2302b5e11525cf27f09a34

  • SHA512

    8373eb81697f239637ce2c981e559b53431f8b667b8e8ec8961dae25236139f5b8eef71f2a52f318da8cc3c05b7aa04cf63b6a8041ba69f8f067f9ed6274acd9

  • SSDEEP

    12288:0eoPU9rPU9SMDPtHZBwOsBgo0q4wMur3teV4Ea8b9VqEVzR1ybbDsqo5qlm6HR4l:0eoBwOsBgo0q4wMkA4cWs1ybb1o5PgGu

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bdkpoll.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    tU#)K+9jxLdZ

Targets

    • Target

      7ae596e4adf76beb30ebb960dee5bf60

    • Size

      762KB

    • MD5

      7ae596e4adf76beb30ebb960dee5bf60

    • SHA1

      b401672a55519e7ae28d5f58f31e1267bb5300cf

    • SHA256

      ca6331b3a8e19b15ccc097bb4a6648bfa94136134c2302b5e11525cf27f09a34

    • SHA512

      8373eb81697f239637ce2c981e559b53431f8b667b8e8ec8961dae25236139f5b8eef71f2a52f318da8cc3c05b7aa04cf63b6a8041ba69f8f067f9ed6274acd9

    • SSDEEP

      12288:0eoPU9rPU9SMDPtHZBwOsBgo0q4wMur3teV4Ea8b9VqEVzR1ybbDsqo5qlm6HR4l:0eoBwOsBgo0q4wMkA4cWs1ybb1o5PgGu

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks