General

  • Target

    DO70976789089.bat

  • Size

    1.1MB

  • Sample

    240711-vp753swcrk

  • MD5

    2713632265334f5787354ca0d66216a6

  • SHA1

    7327b3348098db8f503c94e0738fbfcba8c86fa7

  • SHA256

    2378b6646124aefc8b0cc9856e9f155881705ee08a278125bde9e61519df39a6

  • SHA512

    1ea07ba59d194c89bfb38c2858891af9834bb61e944e3affd08c872c6fbd0670c23f6c8ee62ae513123a205941223982248165497953119ab0fccde27d077d28

  • SSDEEP

    24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaEJRmFBbxiIaf5:eh+ZkldoPK8YaEXmLz6

Malware Config

Extracted

Family

snakekeylogger

C2

https://scratchdreams.tk

Targets

    • Target

      DO70976789089.bat

    • Size

      1.1MB

    • MD5

      2713632265334f5787354ca0d66216a6

    • SHA1

      7327b3348098db8f503c94e0738fbfcba8c86fa7

    • SHA256

      2378b6646124aefc8b0cc9856e9f155881705ee08a278125bde9e61519df39a6

    • SHA512

      1ea07ba59d194c89bfb38c2858891af9834bb61e944e3affd08c872c6fbd0670c23f6c8ee62ae513123a205941223982248165497953119ab0fccde27d077d28

    • SSDEEP

      24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaEJRmFBbxiIaf5:eh+ZkldoPK8YaEXmLz6

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks