General

  • Target

    Payment copy.exe

  • Size

    699KB

  • Sample

    241022-k9k6yazejj

  • MD5

    24e9f7248721532221948fa1967ee60f

  • SHA1

    6383f2e95ddd7abd76f0be41c98c2f0251144f9f

  • SHA256

    aaffbb91c846cc38793ba7ad53bb5b72487a65fa430e4caec3993d22b28cbf21

  • SHA512

    a8f950a5d35cd972d5b6498e386f33968c34f519d97b5d037638cb97e6f226ce1f2fd01caf286fe7b46d24723b55cc0024da399633f93e7c8595fedaff55812f

  • SSDEEP

    12288:QHuE6cx+QCxBtQ7LUUV00q5+2Glo1XmVUiFK+YPbGxLuyNKBXeQU7:5cx5CxBJUV0fGmSFWBeZ

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.financ-fire.com
  • Port:
    587
  • Username:
    financ1@financ-fire.com
  • Password:
    W6otxNGOdwF9

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.financ-fire.com
  • Port:
    587
  • Username:
    financ1@financ-fire.com
  • Password:
    W6otxNGOdwF9
  • Email To:
    ava386960@gmail.com

Targets

    • Target

      Payment copy.exe

    • Size

      699KB

    • MD5

      24e9f7248721532221948fa1967ee60f

    • SHA1

      6383f2e95ddd7abd76f0be41c98c2f0251144f9f

    • SHA256

      aaffbb91c846cc38793ba7ad53bb5b72487a65fa430e4caec3993d22b28cbf21

    • SHA512

      a8f950a5d35cd972d5b6498e386f33968c34f519d97b5d037638cb97e6f226ce1f2fd01caf286fe7b46d24723b55cc0024da399633f93e7c8595fedaff55812f

    • SSDEEP

      12288:QHuE6cx+QCxBtQ7LUUV00q5+2Glo1XmVUiFK+YPbGxLuyNKBXeQU7:5cx5CxBJUV0fGmSFWBeZ

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.