General

  • Target

    Tender INP19472.png.lnk

  • Size

    2KB

  • Sample

    240131-mw991saeb6

  • MD5

    3a4776feaabd11c4af38048f0bcd9180

  • SHA1

    4bf15af33feeb363a0e94a02fc344cb640894dfa

  • SHA256

    0166e228994082e7800338d0fabeef966cd11349818e9a0cad042286fa842659

  • SHA512

    6aefa9e0092729b32fcfa89da84db5ace224687f7a77175a74a0675741bda67f68aeb96beabfdb89875b24a842ca09a2e6e0e72318e88e785c174789a1be7e16

Malware Config

Targets

    • Target

      Tender INP19472.png.lnk

    • Size

      2KB

    • MD5

      3a4776feaabd11c4af38048f0bcd9180

    • SHA1

      4bf15af33feeb363a0e94a02fc344cb640894dfa

    • SHA256

      0166e228994082e7800338d0fabeef966cd11349818e9a0cad042286fa842659

    • SHA512

      6aefa9e0092729b32fcfa89da84db5ace224687f7a77175a74a0675741bda67f68aeb96beabfdb89875b24a842ca09a2e6e0e72318e88e785c174789a1be7e16

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks