General
-
Target
HESAP DETAYLARI.pdf.z
-
Size
641KB
-
Sample
241010-sbaxbawhnj
-
MD5
6cb90df6a4c31789b2a4684e41fa5b8a
-
SHA1
faecadc468571e53d85f26b2707681bffbd05725
-
SHA256
02819e773a13044621b353b140bb3dde208897eac32b4a267de15f65a963a93e
-
SHA512
8dbd825885ebd82563e4f75fd73d341effea0e44c05de7e82239ccc14b2b3257344efc68bd587a42c1ec439cc05ae9a42f5869a9bd25be86cd313ec6e7d4d4c0
-
SSDEEP
12288:m+1o1xfFW3EXPysap70RV1iFWnrqUoqCjogY9OcaSCUF6SGY2MxIZ6nr:mz1dk3EyRpyV1BqUo/joZDl1FKY1xIsr
Malware Config
Targets
-
-
Target
HESAP DETAYLARI.exe
-
Size
710KB
-
MD5
a6cdd79d35c00a004238683b35b8ded4
-
SHA1
a00078c30e86c90699c55eb66ecfac648a391f7d
-
SHA256
7cfb12add202af6cf627f8d79618f0c7c2eeb7da275835b741138c006d23a3bc
-
SHA512
188559a8bbf8efa741c78f5a1809f98704cff5efb72e6cad799734c455e05b3ff125f3408ab4ee167e232ae1db4c4f41eefe85998947c155084295fe5eddb579
-
SSDEEP
12288:kAqxcdkyerVbCx3YNg9vl01uhuQPLFPeM8q8FEVjU+Jd1cN1Jqg:JqxcGrVbCx3YNMvlIOuQP8qppTUJ
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-