General

  • Target

    Payment_Advice.exe

  • Size

    935KB

  • Sample

    240501-qhsplahg48

  • MD5

    e708aa3160e224de971421d5bc2fee29

  • SHA1

    7db6e4d3e5e2db1cd12717fa9a62a35a52834c02

  • SHA256

    ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9

  • SHA512

    47bff81600e4ff9e0a4fdbfa5f16141057bfca9fc0117cc2950428f6c627830482fc683c942a48ca77d37c3f4031d2585999453ce7c877eba6428cfe9ed2eff2

  • SSDEEP

    12288:zjU00pFjzc/AKi9r4atz4fM3F58HMiEJy54ll8zhc6O6vo6Oh8IPMbP:L0s3iN4atkA/8Rze78zbP

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.qoldenfrontier.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    %2WMoWREUv@3

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      Payment_Advice.exe

    • Size

      935KB

    • MD5

      e708aa3160e224de971421d5bc2fee29

    • SHA1

      7db6e4d3e5e2db1cd12717fa9a62a35a52834c02

    • SHA256

      ba78d6ffbd1bd564598b33a3d28d437b3fe7129ffb93dee80e732e44098b9aa9

    • SHA512

      47bff81600e4ff9e0a4fdbfa5f16141057bfca9fc0117cc2950428f6c627830482fc683c942a48ca77d37c3f4031d2585999453ce7c877eba6428cfe9ed2eff2

    • SSDEEP

      12288:zjU00pFjzc/AKi9r4atz4fM3F58HMiEJy54ll8zhc6O6vo6Oh8IPMbP:L0s3iN4atkA/8Rze78zbP

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks