General

  • Target

    Image012.png.lnk

  • Size

    2KB

  • Sample

    240131-mw991sccel

  • MD5

    395be4940bf35809d5bcfe58646b278c

  • SHA1

    02b01088e3bb584641281c36118c930f3c9b963d

  • SHA256

    4c5fe2c863349aa4f43dd9f9f932dac11576832a12bc5e84b840c09c1308f540

  • SHA512

    9add65f4de5ef386b7191ac869ca1801dcdd9525189fdb94a5d86c82c4c51d983e3966ef148f392d48382588ed8882ea25120dcbd6bc8d8a7e63e362e6b2929b

Malware Config

Targets

    • Target

      Image012.png.lnk

    • Size

      2KB

    • MD5

      395be4940bf35809d5bcfe58646b278c

    • SHA1

      02b01088e3bb584641281c36118c930f3c9b963d

    • SHA256

      4c5fe2c863349aa4f43dd9f9f932dac11576832a12bc5e84b840c09c1308f540

    • SHA512

      9add65f4de5ef386b7191ac869ca1801dcdd9525189fdb94a5d86c82c4c51d983e3966ef148f392d48382588ed8882ea25120dcbd6bc8d8a7e63e362e6b2929b

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks