General
-
Target
MTO of Valves balongan minus.zip
-
Size
656KB
-
Sample
241016-j36nmaveqq
-
MD5
87135da036db068521ea5803e97b61fe
-
SHA1
47ca2f2576bb48dd9fa60763fd67b28d83da7743
-
SHA256
d6b55f9a2ba4d6af0dc95d605e7bf7183c50128f5e1a4ce989c8aeef42d06d45
-
SHA512
d4b65a63170f579b3bf997092f29eb1bea534795331506e116497661c41ca31190a5adcb236ca48788432ab62164df238ed0c7888f78192544e2f971c43bcf5a
-
SSDEEP
12288:JnEgyIhgEySWJhdGRyHkeQQdoHF0HXUA8jvA2wFiocw51RQMSN:Jdh0SWsRCRViH0ujawocw51o
Malware Config
Targets
-
-
Target
MTO of Valves balongan minus.exe
-
Size
723KB
-
MD5
e8ac142097057e54c67c573ffc4b5200
-
SHA1
e853bad28e0fabc35e2a14788a6bde6fd28095c1
-
SHA256
ae07c4e8171fb3f7b72d667d9af8924f762d92ff71d1264c9afec1a7dfbc604d
-
SHA512
904be41ed9d42e2de44e3c43d200eab88b068a4789cebf0180a636bdc9eb6f775ca809050b0f06b86b7d7c477848bd117840013c84b1a446ee53cb6da86affa9
-
SSDEEP
12288:+lE9vdcyerVbCx3YNgn0QH72F3JfMNtGVp6yLUYKw7/vAWwFiacwdiHUJ1t6rR:WE9verVbCx3YNgngRppj7/EwacwQ0Jr6
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-