General

  • Target

    Updated New Order.xls

  • Size

    938KB

  • Sample

    241003-hwh4bavajb

  • MD5

    39e2230ab8f6d983bee40367b44d0d99

  • SHA1

    92e81d6b42529bd3171b4541ea252fce6ba3c010

  • SHA256

    ed0b1f5749e23d2494de9cdeda7aca03c44690e22dfbd2f4b5f96baa73986406

  • SHA512

    2d9e2060a4251c50e3d32896d71025fc57c2e588d5cbd88ce0c9ba52287f4e40d4775f528958032f7323c3f02d3a0e9e39872e5427b5ed3e9dbbfcd8234ba90c

  • SSDEEP

    12288:UmzHJEjwWYSRD3DERnLRmF8Dl3PT7uZNPK+N4Uu/UbH0ilKLdcoCYd8Eojy1f9w:ncwHSRbARM8B3l+iv/UbUxLdwYLom1V

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Updated New Order.xls

    • Size

      938KB

    • MD5

      39e2230ab8f6d983bee40367b44d0d99

    • SHA1

      92e81d6b42529bd3171b4541ea252fce6ba3c010

    • SHA256

      ed0b1f5749e23d2494de9cdeda7aca03c44690e22dfbd2f4b5f96baa73986406

    • SHA512

      2d9e2060a4251c50e3d32896d71025fc57c2e588d5cbd88ce0c9ba52287f4e40d4775f528958032f7323c3f02d3a0e9e39872e5427b5ed3e9dbbfcd8234ba90c

    • SSDEEP

      12288:UmzHJEjwWYSRD3DERnLRmF8Dl3PT7uZNPK+N4Uu/UbH0ilKLdcoCYd8Eojy1f9w:ncwHSRbARM8B3l+iv/UbUxLdwYLom1V

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks