General

  • Target

    11072024_1652_11072024_Fatura.rar

  • Size

    434KB

  • Sample

    240711-vdd3vsxhmd

  • MD5

    7ac7c7311256fcadff9d5d577a1341cd

  • SHA1

    4023a172b0d4ee39eedd857f238967c3caa6dd65

  • SHA256

    6292fdf69844ed834e9f6ca211bdabde3b0ac0de7a11a9cca188ca3f99c313ef

  • SHA512

    2cdbece21bff99a6b50f2d6f6c3bf4bb57fd2f2fa4058ab6cf30079567435ea7bb9a97d40f731d80b3526e5afad1c7f01f9ad3f4cd98b7910ed12c60df8c025b

  • SSDEEP

    6144:tNEXGAIZ2+PZtk05/eM0kJkb1OroG8TcWf75pSolDPdNbN3eHIEkLTcWjt1m50/d:tNEXGRZ7I05/zvrtKpBNb4o7Njt1UHO

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115

Targets

    • Target

      Fatura.exe

    • Size

      630KB

    • MD5

      c6ba6c0f42898b7564e3d217a24efb3a

    • SHA1

      2cea91f4568bc298fe098e7caaac446ed706c05f

    • SHA256

      f797957066f7df06f719849951c278e9c5f56a225f6d68ee352a14539579d8af

    • SHA512

      006095e1ccbea8483bc85f9aa98751b56d153646cee21a348388dff0e21fa030f654e5dea82753ae1bfddc75859e7c6a63fd6c6cf7ceb992841a1ce83a35f849

    • SSDEEP

      12288:KvxwRbB0H5KUjUPKCuO+ggobwxJ3C4e5cI2kD7Bl:Kvx6bB0ZqAHgDSqcEn

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Disables RegEdit via registry modification

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bff2a11d26d951ec34679b8fa1ee7192

    • SHA1

      d3de629a5a86ee35b6afa1802f6ac8b141b07062

    • SHA256

      aec5af9c7c551c3590492b0c0120b535b55ab048e84f695b617a5ab4b1a52f54

    • SHA512

      1dce397c9cab3cd3b58c181688286a89067c743f195403694819c2d988435268ffd01939beaaa17cfa344160c89414f28273b70de154be0def034af8c470723a

    • SSDEEP

      192:G9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:GJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      fdee755c4987e9859e0eec130ee22efd

    • SHA1

      ba32823881a98da6b92eee1d866be2b3a20c6e5d

    • SHA256

      e18984e78d58b2383f2c1e8ed0000088ee8d9d469345383618f179176fcddff6

    • SHA512

      31ba3dad22fd9b78ab3f6017c4373c923d048cf0c010900a131c4533ef185d408a88052aa4cf6184dbe484d44aab9cfa94a052185cf0b9ad19286ed921e4723f

    • SSDEEP

      96:ft4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:ft4Vlw1Iul5J8T1vK20I5VVGsb

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks