General

  • Target

    45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c.exe

  • Size

    1024KB

  • Sample

    240521-rertkage83

  • MD5

    2e488e75f59f35f2a52e403254f6ac4b

  • SHA1

    f9631fd13ce8fefe5f1aee7d638fb6e2a4ae9ac1

  • SHA256

    45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c

  • SHA512

    1df825813bf3e78b2c7f52e3315dffe1906ae61ff168dd834384180b644a73152f0e4e3905859e4511c13c56d654890e8dd34b04140ce93c907a9113c9452271

  • SSDEEP

    24576:WSu1S82mBVrIiudqjgKJrgKCC9Uy77C/:WSuU82mTV7gKJNZ9J

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c.exe

    • Size

      1024KB

    • MD5

      2e488e75f59f35f2a52e403254f6ac4b

    • SHA1

      f9631fd13ce8fefe5f1aee7d638fb6e2a4ae9ac1

    • SHA256

      45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c

    • SHA512

      1df825813bf3e78b2c7f52e3315dffe1906ae61ff168dd834384180b644a73152f0e4e3905859e4511c13c56d654890e8dd34b04140ce93c907a9113c9452271

    • SSDEEP

      24576:WSu1S82mBVrIiudqjgKJrgKCC9Uy77C/:WSuU82mTV7gKJNZ9J

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks