General

  • Target

    order pdf.exe

  • Size

    491KB

  • Sample

    240508-jfx3zahf3w

  • MD5

    1aa85e7264a5b41dea1dc1347c21c6e4

  • SHA1

    0673529b1f6635f1d6bf652f78bd95b615a7fc62

  • SHA256

    8a3d0e96ab670914b932cdd86254db25e5e45c5f6a540e331bdc9370863542d9

  • SHA512

    05e126fd810007191ddf41aaf85ae521d2d0303fe26a56aff82c420238beb329b40436252873f970038144a239d44d8c29b428dda09835ba1341d6b6b1e0fa62

  • SSDEEP

    12288:pyQHwt3dGClR6NsJw0lp1BUiFJx75otHbHc:Gt3MCwsJwgPx75c

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.lubentech.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    hamid@1349

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      order pdf.exe

    • Size

      491KB

    • MD5

      1aa85e7264a5b41dea1dc1347c21c6e4

    • SHA1

      0673529b1f6635f1d6bf652f78bd95b615a7fc62

    • SHA256

      8a3d0e96ab670914b932cdd86254db25e5e45c5f6a540e331bdc9370863542d9

    • SHA512

      05e126fd810007191ddf41aaf85ae521d2d0303fe26a56aff82c420238beb329b40436252873f970038144a239d44d8c29b428dda09835ba1341d6b6b1e0fa62

    • SSDEEP

      12288:pyQHwt3dGClR6NsJw0lp1BUiFJx75otHbHc:Gt3MCwsJwgPx75c

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks