General
-
Target
Enquiry 88210103.exe
-
Size
551KB
-
Sample
240924-rezjea1flb
-
MD5
86e68a876e55e70275d6759c10de5345
-
SHA1
0a15cf065fe62814d1c7bdb09508f99699e0b8ec
-
SHA256
20cd59764483a62bfcf3d0b85cb92a3ba2dfcb1ef9303c3cef574ef9def84fcf
-
SHA512
b9632c31b47c489629bbb74e94493aa4c79f76204cdfa569aedbd957e2f11a159b390a700528f7abb1af3578a4d188b4e703162b769328dfd9b2abb11360500d
-
SSDEEP
12288:Pd+24kzKDSd1JqakAuiJurlPQFfA0xYsPzDtl8wYge:r4kpqaWiJMPQFY0xvPzDf9
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7519296385:AAFFI2mxNdfa3ltOQw6_L0rzJGbiW-4SUz4/sendMessage?chat_id=5116181161
Targets
-
-
Target
Enquiry 88210103.exe
-
Size
551KB
-
MD5
86e68a876e55e70275d6759c10de5345
-
SHA1
0a15cf065fe62814d1c7bdb09508f99699e0b8ec
-
SHA256
20cd59764483a62bfcf3d0b85cb92a3ba2dfcb1ef9303c3cef574ef9def84fcf
-
SHA512
b9632c31b47c489629bbb74e94493aa4c79f76204cdfa569aedbd957e2f11a159b390a700528f7abb1af3578a4d188b4e703162b769328dfd9b2abb11360500d
-
SSDEEP
12288:Pd+24kzKDSd1JqakAuiJurlPQFfA0xYsPzDtl8wYge:r4kpqaWiJMPQFY0xvPzDf9
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-