General

  • Target

    Ziraat Bankası Swift Mesajı.pdf.exe

  • Size

    577KB

  • Sample

    240131-m6vmbaafh4

  • MD5

    e12779a7b7ac2d2c85e96c9ac6d7d7dc

  • SHA1

    3484bd1094df0332bf9e4c5f55abb4d645140015

  • SHA256

    7006ebe925d1d4c3921787ad6ffcae07f437ebacf41d332b24803cc700796b07

  • SHA512

    971388784fb9eed7f10cbdfc818670bc07e1bbed6ead612e341ca8c719ef50c6fd821b9128d68498585c184ca533bc8cda98cff484833cda55c91038e3e09804

  • SSDEEP

    12288:BxNGIAYQ4IlQoXl3qzyheegDgdWzWmsGSnhXhawq+n0hdxaL:3sIAlQoXd8ykegDgMzWmsGSzbqsCdC

Malware Config

Targets

    • Target

      Ziraat Bankası Swift Mesajı.pdf.exe

    • Size

      577KB

    • MD5

      e12779a7b7ac2d2c85e96c9ac6d7d7dc

    • SHA1

      3484bd1094df0332bf9e4c5f55abb4d645140015

    • SHA256

      7006ebe925d1d4c3921787ad6ffcae07f437ebacf41d332b24803cc700796b07

    • SHA512

      971388784fb9eed7f10cbdfc818670bc07e1bbed6ead612e341ca8c719ef50c6fd821b9128d68498585c184ca533bc8cda98cff484833cda55c91038e3e09804

    • SSDEEP

      12288:BxNGIAYQ4IlQoXl3qzyheegDgdWzWmsGSnhXhawq+n0hdxaL:3sIAlQoXd8ykegDgMzWmsGSzbqsCdC

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks