General

  • Target

    Photo01.jpg.lnk

  • Size

    2KB

  • Sample

    240131-mw991saeb9

  • MD5

    2b91c1d78d8e65a4a8a4c8bb89267e7f

  • SHA1

    37092cdcc30b44403638e19bb2b214e6fe9be2b2

  • SHA256

    335dbbec54330e455233417d1ce7dd7ccc0550c1c8bdf8eaf6d3e54f1c5f0b6a

  • SHA512

    6a2fe949bb755fb770d1c1c42cd0288a1f1ef1cb783aead550066ac3aa09c740ceaf13990f62400021adcd08432035147c21cb22f186969b3eec37784a2a370f

Malware Config

Targets

    • Target

      Photo01.jpg.lnk

    • Size

      2KB

    • MD5

      2b91c1d78d8e65a4a8a4c8bb89267e7f

    • SHA1

      37092cdcc30b44403638e19bb2b214e6fe9be2b2

    • SHA256

      335dbbec54330e455233417d1ce7dd7ccc0550c1c8bdf8eaf6d3e54f1c5f0b6a

    • SHA512

      6a2fe949bb755fb770d1c1c42cd0288a1f1ef1cb783aead550066ac3aa09c740ceaf13990f62400021adcd08432035147c21cb22f186969b3eec37784a2a370f

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks