General

  • Target

    74d6ad148e3cbc20e9ffdc0a98afb58d4ce813a30966b08d82cbc195535de1fe.exe

  • Size

    788KB

  • Sample

    240712-wckdxstekm

  • MD5

    c1c8248dbee8c637d345edcbfd7eaac0

  • SHA1

    7d72dbe4f76da77b479301cb0488447771e7a1b6

  • SHA256

    74d6ad148e3cbc20e9ffdc0a98afb58d4ce813a30966b08d82cbc195535de1fe

  • SHA512

    bb734d6c97eb0564857d389f8d5b94b2712fe37ca0e7667a7835583828efc8853f9aa0ac57cac77f42db7d294fe3f733622c66b124ba6b09aba167ca182a1988

  • SSDEEP

    12288:daoOaTGw49hCTdN/uWBxouYft8pjs0pwvxM/r9RKGqHmIdD+e:copTx8CTtouCt2Y0eMz9RKHHF9R

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7377884885:AAGDE6_d9hXHQkXeQnXVnXZia5CIJu4gajM/sendMessage?chat_id=7161549085

Targets

    • Target

      74d6ad148e3cbc20e9ffdc0a98afb58d4ce813a30966b08d82cbc195535de1fe.exe

    • Size

      788KB

    • MD5

      c1c8248dbee8c637d345edcbfd7eaac0

    • SHA1

      7d72dbe4f76da77b479301cb0488447771e7a1b6

    • SHA256

      74d6ad148e3cbc20e9ffdc0a98afb58d4ce813a30966b08d82cbc195535de1fe

    • SHA512

      bb734d6c97eb0564857d389f8d5b94b2712fe37ca0e7667a7835583828efc8853f9aa0ac57cac77f42db7d294fe3f733622c66b124ba6b09aba167ca182a1988

    • SSDEEP

      12288:daoOaTGw49hCTdN/uWBxouYft8pjs0pwvxM/r9RKGqHmIdD+e:copTx8CTtouCt2Y0eMz9RKHHF9R

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      4d3b19a81bd51f8ce44b93643a4e3a99

    • SHA1

      35f8b00e85577b014080df98bd2c378351d9b3e9

    • SHA256

      fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

    • SHA512

      b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

    • SSDEEP

      192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      3eb4cd50dcb9f5981f5408578cb7fb70

    • SHA1

      13b38cc104ba6ee22dc4dfa6e480e36587f4bc71

    • SHA256

      1c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf

    • SHA512

      5a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324

    • SSDEEP

      96:+7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNv3e:QXhHR0aTQN4gRHdMqJVgNG

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks