General

  • Target

    5162998410249741117aa8b3e5f565c715052caf2628e387ef3e266dafbf2b25.exe

  • Size

    636KB

  • Sample

    240712-vqz6vssepl

  • MD5

    33a090dccf943c2275404a12d463f7c2

  • SHA1

    5fc8a3ad2b2f65d74793bb6b7cfd973e33969b23

  • SHA256

    5162998410249741117aa8b3e5f565c715052caf2628e387ef3e266dafbf2b25

  • SHA512

    bd690b403518b3aaa78d0ff6262822dc37b337e814ed744108e14bacd276f311a9560db307e290f144c72b15632c25f67b26e0508c11c566661717c058d21492

  • SSDEEP

    12288:2xgblOLj6IUyH8LjOh/VYJgDYomJ4NnNiZHK9VForrJVHl9HAkvE1eQpT:ogh8UE6lSDpmJ4Nn8dK9VFoL3LMEQp

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6586430362:AAFht6dWuqVwCGM9yLNchh9SF2eYj5iNi4w/sendMessage?chat_id=7062552884

Targets

    • Target

      5162998410249741117aa8b3e5f565c715052caf2628e387ef3e266dafbf2b25.exe

    • Size

      636KB

    • MD5

      33a090dccf943c2275404a12d463f7c2

    • SHA1

      5fc8a3ad2b2f65d74793bb6b7cfd973e33969b23

    • SHA256

      5162998410249741117aa8b3e5f565c715052caf2628e387ef3e266dafbf2b25

    • SHA512

      bd690b403518b3aaa78d0ff6262822dc37b337e814ed744108e14bacd276f311a9560db307e290f144c72b15632c25f67b26e0508c11c566661717c058d21492

    • SSDEEP

      12288:2xgblOLj6IUyH8LjOh/VYJgDYomJ4NnNiZHK9VForrJVHl9HAkvE1eQpT:ogh8UE6lSDpmJ4Nn8dK9VFoL3LMEQp

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks