General

  • Target

    5cec1a4f7af5d3a112c48c7253d3ec7539bb9c8f1e656b51a14567065d948fb2

  • Size

    485KB

  • Sample

    241021-ynl31avenq

  • MD5

    640c9c7204ed15df55422dbccd448a78

  • SHA1

    82dc274442fb92e9654877031a580195e35e01a9

  • SHA256

    5cec1a4f7af5d3a112c48c7253d3ec7539bb9c8f1e656b51a14567065d948fb2

  • SHA512

    3dd9ad55fcd8af7efd9d913fe875cd18a3d8333877af691a0cfc58d285e07c60a3300bedbff405a54100f75ef874fd842bbc458ee019abdada70c3da1b9033e9

  • SSDEEP

    12288:CbezYflL3PIdhKyjgvJ6uSFpoWfXCRCGx:CbebhKy0vcumpvXGx

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Targets

    • Target

      Quotation Reference No DX2265.exe

    • Size

      503KB

    • MD5

      fa80fb2fedf1df252aa7c10c6cf22ff5

    • SHA1

      65dbe24bb00dc5278926b1849a1e853d72d6d372

    • SHA256

      8c9a2cdbc372e1eb39e247cc1d444c7b97c35061aaf9aa568c421fbc8c0d0cad

    • SHA512

      8fe343882e1627d7a9c36809ca051f27f2cd37769fcb0135c076f0173090acbac76cda912bc934d299c5465f7f274ca3e68296b1abadfa0b32141a2c9d25a909

    • SSDEEP

      12288:yg72ChrTx3+u+KaqNbXq1o8lIyBnxlQqVMORM:1ngjKaW6dISnxlQqVTR

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks