General

  • Target

    ae07c4e8171fb3f7b72d667d9af8924f762d92ff71d1264c9afec1a7dfbc604dN

  • Size

    723KB

  • Sample

    241013-vm5beascjp

  • MD5

    e8ac142097057e54c67c573ffc4b5200

  • SHA1

    e853bad28e0fabc35e2a14788a6bde6fd28095c1

  • SHA256

    ae07c4e8171fb3f7b72d667d9af8924f762d92ff71d1264c9afec1a7dfbc604d

  • SHA512

    904be41ed9d42e2de44e3c43d200eab88b068a4789cebf0180a636bdc9eb6f775ca809050b0f06b86b7d7c477848bd117840013c84b1a446ee53cb6da86affa9

  • SSDEEP

    12288:+lE9vdcyerVbCx3YNgn0QH72F3JfMNtGVp6yLUYKw7/vAWwFiacwdiHUJ1t6rR:WE9verVbCx3YNgngRppj7/EwacwQ0Jr6

Malware Config

Targets

    • Target

      ae07c4e8171fb3f7b72d667d9af8924f762d92ff71d1264c9afec1a7dfbc604dN

    • Size

      723KB

    • MD5

      e8ac142097057e54c67c573ffc4b5200

    • SHA1

      e853bad28e0fabc35e2a14788a6bde6fd28095c1

    • SHA256

      ae07c4e8171fb3f7b72d667d9af8924f762d92ff71d1264c9afec1a7dfbc604d

    • SHA512

      904be41ed9d42e2de44e3c43d200eab88b068a4789cebf0180a636bdc9eb6f775ca809050b0f06b86b7d7c477848bd117840013c84b1a446ee53cb6da86affa9

    • SSDEEP

      12288:+lE9vdcyerVbCx3YNgn0QH72F3JfMNtGVp6yLUYKw7/vAWwFiacwdiHUJ1t6rR:WE9verVbCx3YNgngRppj7/EwacwQ0Jr6

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks