General
-
Target
Enquiry 88210103.rar
-
Size
492KB
-
Sample
240926-qsynlasgna
-
MD5
5ed07e40488110a5e6e23440dcb0dc6d
-
SHA1
852fbaae05f754995e44db60089869a7415c1240
-
SHA256
0d737e84a2f2b3d91744226d6b4a83b17e9205799f8efc703404839c308e3094
-
SHA512
3393f3eeff9bddcaad18d381e88c4595eb52ee2a3a3aa317b96aa2b44433c9c708e40c785fd7b00290d6d42d43005cf57cf7c011c0e93b0d6da6a1657e2ac415
-
SSDEEP
12288:KnJdugAqWCmPDE5oZANlQco33O/uaqXaizvV8U5NnS:KnJdJuDu7D63maKcv+2S
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7519296385:AAFFI2mxNdfa3ltOQw6_L0rzJGbiW-4SUz4/sendMessage?chat_id=5116181161
Targets
-
-
Target
Enquiry 88210103.exe
-
Size
551KB
-
MD5
86e68a876e55e70275d6759c10de5345
-
SHA1
0a15cf065fe62814d1c7bdb09508f99699e0b8ec
-
SHA256
20cd59764483a62bfcf3d0b85cb92a3ba2dfcb1ef9303c3cef574ef9def84fcf
-
SHA512
b9632c31b47c489629bbb74e94493aa4c79f76204cdfa569aedbd957e2f11a159b390a700528f7abb1af3578a4d188b4e703162b769328dfd9b2abb11360500d
-
SSDEEP
12288:Pd+24kzKDSd1JqakAuiJurlPQFfA0xYsPzDtl8wYge:r4kpqaWiJMPQFY0xvPzDf9
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-