General

  • Target

    892885effadd96dae30af906c0e900706652b3b20e5547b9e4289f531d1a2c73.rar

  • Size

    436KB

  • Sample

    240711-b5ph5avakb

  • MD5

    091c13e617638d0d7acfd5ff81594b6a

  • SHA1

    7dc3d25ddfcbb478390e0f132825f93737143a13

  • SHA256

    892885effadd96dae30af906c0e900706652b3b20e5547b9e4289f531d1a2c73

  • SHA512

    d67a752edae3933420551cb8f91817b134ca71b341585c24b7912d151802b19ad719836e94143af0cd6878e84034f649fb7247c40040a1df9f9d9b1671fb77f1

  • SSDEEP

    6144:Z2d4/41dDbqRK8rqr7hnRGCf8+MpVbLC0jJ6+Wgx8qNwU51mTRwTZz1PVeFV4fmv:wdIRKaqPh0xV0A/Ya7Yab+xOqj

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7377884885:AAGDE6_d9hXHQkXeQnXVnXZia5CIJu4gajM/sendMessage?chat_id=7161549085

Targets

    • Target

      SWIFT.exe

    • Size

      775KB

    • MD5

      0d0f944239a7dd07826e28edf9647185

    • SHA1

      3911f09935fb37f9f6cc3ff990e12e6143282d8a

    • SHA256

      c58de5f40be8fd760fc08b1ef7ae5a3f5771dbc214426156e3a21a89bb8303fc

    • SHA512

      e5077fa3179d7082587d606b8c8c6b5c0d74794225394522d92a06295e962a1cdb9868ac415720e3908222cc6c55312d24868be8d8ec2e52ef81243080fe5b7e

    • SSDEEP

      12288:7akAv7gfFvt8pjs0p1cvxM/r9RKGqHmIdD+c:+kiext2Y0QMz9RKHHF9D

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      4d3b19a81bd51f8ce44b93643a4e3a99

    • SHA1

      35f8b00e85577b014080df98bd2c378351d9b3e9

    • SHA256

      fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

    • SHA512

      b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

    • SSDEEP

      192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      3eb4cd50dcb9f5981f5408578cb7fb70

    • SHA1

      13b38cc104ba6ee22dc4dfa6e480e36587f4bc71

    • SHA256

      1c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf

    • SHA512

      5a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324

    • SSDEEP

      96:+7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNv3e:QXhHR0aTQN4gRHdMqJVgNG

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks