General

  • Target

    71eba39e12395d9976498f3e4a3149a91ef60781a028165c1e4411b5d9101f38.exe

  • Size

    967KB

  • Sample

    240920-btevjs1gne

  • MD5

    92e968ac53d2d4e180df2f21673a0839

  • SHA1

    4be19b7994ca2858a98350943ff68e90432007d7

  • SHA256

    71eba39e12395d9976498f3e4a3149a91ef60781a028165c1e4411b5d9101f38

  • SHA512

    41b0443d5bfc450df9c0b882b75a9c9114511986637c5596674ab59a85dfe0981cba51012bd2ce9dae63ea58f4b08b5e8bd8a19ae88f2677223b472f221bcb84

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaC8keeMuBBr47eeJ7hJh:7JZoQrbTFZY1iaCfphLr47bpjh

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.invesxteu.info
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    rwe87$%21q
C2

https://api.telegram.org/bot7459546078:AAGmu84_Q9kndb_8-LhtglvhA0W4Utfq03Y/sendMessage?chat_id=7530923766

Targets

    • Target

      71eba39e12395d9976498f3e4a3149a91ef60781a028165c1e4411b5d9101f38.exe

    • Size

      967KB

    • MD5

      92e968ac53d2d4e180df2f21673a0839

    • SHA1

      4be19b7994ca2858a98350943ff68e90432007d7

    • SHA256

      71eba39e12395d9976498f3e4a3149a91ef60781a028165c1e4411b5d9101f38

    • SHA512

      41b0443d5bfc450df9c0b882b75a9c9114511986637c5596674ab59a85dfe0981cba51012bd2ce9dae63ea58f4b08b5e8bd8a19ae88f2677223b472f221bcb84

    • SSDEEP

      24576:uRmJkcoQricOIQxiZY1iaC8keeMuBBr47eeJ7hJh:7JZoQrbTFZY1iaCfphLr47bpjh

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks