General

  • Target

    SIPARIS-290124 (619 KB).exe

  • Size

    619KB

  • Sample

    240131-ncawgscfhq

  • MD5

    8e94412b2dffeae1c742add73009cf29

  • SHA1

    e26c12105aaf9c2e35647dc4e7e400812144f1e4

  • SHA256

    c7362845283503e1538fd1c4ba224becc55c213613c30684fa790cd6f99d2094

  • SHA512

    d9b8ac10c98270ec3030217556eb870d1e995df1365503d2dc7504b08eb3a035d3d3a8cbd6a1dcd9a3e66e17802e89cf30af9dea1d6f6b4e5fff57440de44192

  • SSDEEP

    12288:UTI9SCF1OxyQQB8naJ3f2e0wfJ5nqtk2KJfY4L8L5/:gI9ZkyQQEaZf2TyJ5nqo58L5/

Malware Config

Targets

    • Target

      SIPARIS-290124 (619 KB).exe

    • Size

      619KB

    • MD5

      8e94412b2dffeae1c742add73009cf29

    • SHA1

      e26c12105aaf9c2e35647dc4e7e400812144f1e4

    • SHA256

      c7362845283503e1538fd1c4ba224becc55c213613c30684fa790cd6f99d2094

    • SHA512

      d9b8ac10c98270ec3030217556eb870d1e995df1365503d2dc7504b08eb3a035d3d3a8cbd6a1dcd9a3e66e17802e89cf30af9dea1d6f6b4e5fff57440de44192

    • SSDEEP

      12288:UTI9SCF1OxyQQB8naJ3f2e0wfJ5nqtk2KJfY4L8L5/:gI9ZkyQQEaZf2TyJ5nqo58L5/

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks