General

  • Target

    rliquida____odefaturadepagamento.exe

  • Size

    2.3MB

  • Sample

    241008-qvk6aazbjl

  • MD5

    383574fcb2a1b030666cb7c3be603445

  • SHA1

    2fcf52b141d329798d4d9c6fc1c2b3326a8ccdc9

  • SHA256

    b0a9e6a7deccda1f29e48f243f15e225f59e9fe11e7ce25f9433e3f8d233ad6c

  • SHA512

    92f6bbb31d94f72e3fdf1396270563647f22f853828658ab9843616cb2d534ce2b3081df87bb2129bee267cfa83f8aaa7dfaf447a8d104a6c89ef049a4562e8a

  • SSDEEP

    24576:XNw5wQb8vxzKM8LKbaxrNzlEUBFs6JYH2oDXPtJv55njhYzuyKpraS7FFX:XNQbNEaxrNzl5FYJLtpxwuyuF

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.setarehatlaspars.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Set@reh1398

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      rliquida____odefaturadepagamento.exe

    • Size

      2.3MB

    • MD5

      383574fcb2a1b030666cb7c3be603445

    • SHA1

      2fcf52b141d329798d4d9c6fc1c2b3326a8ccdc9

    • SHA256

      b0a9e6a7deccda1f29e48f243f15e225f59e9fe11e7ce25f9433e3f8d233ad6c

    • SHA512

      92f6bbb31d94f72e3fdf1396270563647f22f853828658ab9843616cb2d534ce2b3081df87bb2129bee267cfa83f8aaa7dfaf447a8d104a6c89ef049a4562e8a

    • SSDEEP

      24576:XNw5wQb8vxzKM8LKbaxrNzlEUBFs6JYH2oDXPtJv55njhYzuyKpraS7FFX:XNQbNEaxrNzl5FYJLtpxwuyuF

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks