General
-
Target
13092024_0410_11092024_Purchase Order 0000258691.rar
-
Size
487KB
-
Sample
240913-erjbqsthjb
-
MD5
724c9776325c64a2810ff069c9d6caf3
-
SHA1
b4d7922b2253e6a2bf3d39426089fe616bd87d69
-
SHA256
06857b08dab8c4aa8d9c075acfc30093242b3c256b6e91b1b68e8ee98f7a7b8b
-
SHA512
8692afb2871def514034f88a7e22d4d5a91fcc68592305bc22d2e142d385d7436805782c138ccb1aff3c88b1ef4a44ddc47b423b9d9856f30de480033d9e2515
-
SSDEEP
12288:I/a2FzS3Zpow33bcC/qzbW//ChqHmOdEgq7t7qUcKcqE:r2FG3ZiwIbW3Iq/dEThW/
Malware Config
Targets
-
-
Target
Purchase Order 0000258691.exe
-
Size
512KB
-
MD5
973947da93027a6c61b949ab7f44f956
-
SHA1
3daf77c22b19276e29137ec95b0ec90249aeb6b5
-
SHA256
505741d52f89c89dc156768a0714a0e500d1ecae923de1eff6cea7b393cace78
-
SHA512
35ca5d7566d7b656d3843c555311324ac3f7173a36a331e522e4886ff41dda0d7e803feb57bd617c57bcb81bdffc62971afc512bf2d49f010e968a8bb14cf3ce
-
SSDEEP
12288:tt7kvCaWgLfmVJik+ZUbCPGCrtGhtu7STpJE:ttoCaWgLfwi5ZR9Ghtu7
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-