General

  • Target

    Enquiry_3098200.pdf.exe

  • Size

    594KB

  • Sample

    241001-wztk4sxekg

  • MD5

    5a4c049cdd59b0409f5c8c4830c3f35a

  • SHA1

    8cc0d53a6da1450e2e6737aa8ebe8c5dd5d428e0

  • SHA256

    59cd0e97583b23237ddbe7b3d7879b07ad0d45625ed3d113ff5b2c23438eb664

  • SHA512

    456d82e03a7b717fd24489a679281d9fa694444a1b935b09120e107a5d58eb642e7ca500e280f52db58cc7690efe6c33c0b1af99a9aa40f27e40abd25b127d42

  • SSDEEP

    12288:j5fQVmCMdpGzxnVA0RdF0YwWsabDru4C65t9:j5fQUWz1O0RMu/yq9

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Enquiry_3098200.pdf.exe

    • Size

      594KB

    • MD5

      5a4c049cdd59b0409f5c8c4830c3f35a

    • SHA1

      8cc0d53a6da1450e2e6737aa8ebe8c5dd5d428e0

    • SHA256

      59cd0e97583b23237ddbe7b3d7879b07ad0d45625ed3d113ff5b2c23438eb664

    • SHA512

      456d82e03a7b717fd24489a679281d9fa694444a1b935b09120e107a5d58eb642e7ca500e280f52db58cc7690efe6c33c0b1af99a9aa40f27e40abd25b127d42

    • SSDEEP

      12288:j5fQVmCMdpGzxnVA0RdF0YwWsabDru4C65t9:j5fQUWz1O0RMu/yq9

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks