General

  • Target

    FACTURAS2024-665.exe

  • Size

    1.0MB

  • Sample

    241008-sctqtasbmq

  • MD5

    7fe1b33acbb4390827636fbbe0bbeec7

  • SHA1

    6f7df0c28218e0a28f67c0b3a8e5d7f87206a8cb

  • SHA256

    824e4e4246a92fc2bfe21b29045a8c60e1f73f14ca7d846c140ac2ef5d817e5e

  • SHA512

    e0504c344a51829b964b8713d939bd2b2279335b085252ac8fefd39ad613fa51c51594df7e8d99ce91c38ce922d23a479818cdd1f353841ab3edf28277757826

  • SSDEEP

    12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLvOByP0HUJWO+WF/bsB26tVMk9+U29V:ffmMv6Ckr7Mny5QLYBWyo67h9AdpfPP

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7952998151:AAFh98iY7kaOlHAR0qftD3ZcqGbQm0TXbBY/sendMessage?chat_id=5692813672

Targets

    • Target

      FACTURAS2024-665.exe

    • Size

      1.0MB

    • MD5

      7fe1b33acbb4390827636fbbe0bbeec7

    • SHA1

      6f7df0c28218e0a28f67c0b3a8e5d7f87206a8cb

    • SHA256

      824e4e4246a92fc2bfe21b29045a8c60e1f73f14ca7d846c140ac2ef5d817e5e

    • SHA512

      e0504c344a51829b964b8713d939bd2b2279335b085252ac8fefd39ad613fa51c51594df7e8d99ce91c38ce922d23a479818cdd1f353841ab3edf28277757826

    • SSDEEP

      12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLvOByP0HUJWO+WF/bsB26tVMk9+U29V:ffmMv6Ckr7Mny5QLYBWyo67h9AdpfPP

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks