General

  • Target

    05072024_1449_04072024_發票.rar

  • Size

    603KB

  • Sample

    240705-r7f8jazgpj

  • MD5

    9d5bfecdb22d1febf79a940ad5648ad3

  • SHA1

    da06173497e364de8e1f756e9c3a8bba1c11b20b

  • SHA256

    8486f181bab99eb0df17a9f85acb7425e2bea61850cac01b3938bea2d3e056dd

  • SHA512

    03285da7ae010bc53c08cfe8b378f14385cd40ac3c9a000ab36eb55b1b3520245b3dbf1534dc2482ed726dde0dd84ddda3a5afd6898cb6e9bbe30af693b28288

  • SSDEEP

    12288:YEPJkGX7TO54/1KnQkDtFfrAFzyn6BB7gH5Rjl7Am2dV7Bhg:zko7TOi/18rfsn7gZveV7BK

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7369383080:AAHZ3-eOPNC8dmeokZayL5k2b8wsqK_6ziI/sendMessage?chat_id=6485182959

Targets

    • Target

      發票.exe

    • Size

      628KB

    • MD5

      d6da9124c180ce53a244bdda9caa747a

    • SHA1

      422caac2a08e35d47c5990771a1744595a03737c

    • SHA256

      95c6bc7d559e0a52f10a6842b2e04bac219c168c99dec9993d8eaecfdae3aeb0

    • SHA512

      c9937a342fcb5d355edff856447f69b6a7a16a0e60b0f673ecd8daee0dcbe02d50998db338d0463be9fa4c0cdd184464c6bca557037a48bf4b27af32bcd7872b

    • SSDEEP

      12288:qYV6MorX7qzuC3QHO9FQVHPF51jgczyELf3U4p2XAUAmvBJhDxrn:ZBXu9HGaVH1LPtp2kmvdVL

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks