General

  • Target

    82e683f521d395ceabb0703c0e2de95c5c8886aed811da565bb8c03436452d3e.exe

  • Size

    627KB

  • Sample

    240711-b36dvsthlg

  • MD5

    3d5e8fce4bf5c6fd82e0d299177e6655

  • SHA1

    d77ac97def9efb8a01926dd0b49c1b1a5f1921a2

  • SHA256

    82e683f521d395ceabb0703c0e2de95c5c8886aed811da565bb8c03436452d3e

  • SHA512

    ea714adf86dd210de4bd34485312c1860e070d903d353ea1a3b7903d325bfa851e972b65d37dbec16769818d12005f2f7708e8716dd343aa13895fa9563e7751

  • SSDEEP

    12288:OvxwRbB0H5KUjUPKCuO+ggobwxXptiOn4v6:Ovx6bB0ZqAHgDS5tii

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7224070216:AAEvFqvN6xrSarprtimPxHUnIh2WUZLzW1A/sendMessage?chat_id=7161549085

Targets

    • Target

      82e683f521d395ceabb0703c0e2de95c5c8886aed811da565bb8c03436452d3e.exe

    • Size

      627KB

    • MD5

      3d5e8fce4bf5c6fd82e0d299177e6655

    • SHA1

      d77ac97def9efb8a01926dd0b49c1b1a5f1921a2

    • SHA256

      82e683f521d395ceabb0703c0e2de95c5c8886aed811da565bb8c03436452d3e

    • SHA512

      ea714adf86dd210de4bd34485312c1860e070d903d353ea1a3b7903d325bfa851e972b65d37dbec16769818d12005f2f7708e8716dd343aa13895fa9563e7751

    • SSDEEP

      12288:OvxwRbB0H5KUjUPKCuO+ggobwxXptiOn4v6:Ovx6bB0ZqAHgDS5tii

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bff2a11d26d951ec34679b8fa1ee7192

    • SHA1

      d3de629a5a86ee35b6afa1802f6ac8b141b07062

    • SHA256

      aec5af9c7c551c3590492b0c0120b535b55ab048e84f695b617a5ab4b1a52f54

    • SHA512

      1dce397c9cab3cd3b58c181688286a89067c743f195403694819c2d988435268ffd01939beaaa17cfa344160c89414f28273b70de154be0def034af8c470723a

    • SSDEEP

      192:G9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:GJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      fdee755c4987e9859e0eec130ee22efd

    • SHA1

      ba32823881a98da6b92eee1d866be2b3a20c6e5d

    • SHA256

      e18984e78d58b2383f2c1e8ed0000088ee8d9d469345383618f179176fcddff6

    • SHA512

      31ba3dad22fd9b78ab3f6017c4373c923d048cf0c010900a131c4533ef185d408a88052aa4cf6184dbe484d44aab9cfa94a052185cf0b9ad19286ed921e4723f

    • SSDEEP

      96:ft4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:ft4Vlw1Iul5J8T1vK20I5VVGsb

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks