Resubmissions

11-10-2024 07:33

241011-jd1fbaxerm 10

11-10-2024 07:29

241011-jbkl3sxdpr 10

11-10-2024 07:11

241011-h1ddma1ejb 10

11-10-2024 07:00

241011-hs54nswcrj 10

General

  • Target

    malw.exe

  • Size

    724KB

  • Sample

    241011-jd1fbaxerm

  • MD5

    208a7cf0646365f76dd6e381e96cf6f3

  • SHA1

    21d89072373999a525a29882802eb639c6850c03

  • SHA256

    8a33c8b3367ce89f7b0a54accfb415c98f1c6ebadf1fb72d150c575fa85b7b5d

  • SHA512

    05b980d8c72289a5d3e8d4134a9b285c82dea833c5f3016ea627649bfea5def48ddb136e3909b77b37a8b2d017965ac123a023e5439cd1319cda339f94d6a681

  • SSDEEP

    12288:MjqZqdLyerVbCx3YNo18QAulSOfiH93n5N2Ia5oMsn3+wQBBQA6AfwBhptfO5ItE:+qZq5rVbCx3YNdQ1xw5cIhKlBH6EwDzC

Malware Config

Targets

    • Target

      malw.exe

    • Size

      724KB

    • MD5

      208a7cf0646365f76dd6e381e96cf6f3

    • SHA1

      21d89072373999a525a29882802eb639c6850c03

    • SHA256

      8a33c8b3367ce89f7b0a54accfb415c98f1c6ebadf1fb72d150c575fa85b7b5d

    • SHA512

      05b980d8c72289a5d3e8d4134a9b285c82dea833c5f3016ea627649bfea5def48ddb136e3909b77b37a8b2d017965ac123a023e5439cd1319cda339f94d6a681

    • SSDEEP

      12288:MjqZqdLyerVbCx3YNo18QAulSOfiH93n5N2Ia5oMsn3+wQBBQA6AfwBhptfO5ItE:+qZq5rVbCx3YNdQ1xw5cIhKlBH6EwDzC

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks