General

  • Target

    Pedido urgente_pdf.exe

  • Size

    975KB

  • Sample

    241023-hw3gysygpr

  • MD5

    97ee6841e06ab3f460b258f43d4a65ad

  • SHA1

    6e1eee9085c38abdbf4838f82c1c560ed1e4467a

  • SHA256

    efdbe10cecbc88e6d1cf4371494bfbb0b81abfe4810d618fd437255e41dc2f3e

  • SHA512

    b0da19409b05460fc1c2461c1b400b56aa045584bbebc504f703c66cd394ecdc67a623b3394e3f8e9c16ac5222228207129768de214e455f5d95e0882fbbf687

  • SSDEEP

    24576:A7GWB7+31+uvrsHIuj6Zo/ba9HKdNcJp+54Bq2mH6:mTocu9HocJkqH/

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Pedido urgente_pdf.exe

    • Size

      975KB

    • MD5

      97ee6841e06ab3f460b258f43d4a65ad

    • SHA1

      6e1eee9085c38abdbf4838f82c1c560ed1e4467a

    • SHA256

      efdbe10cecbc88e6d1cf4371494bfbb0b81abfe4810d618fd437255e41dc2f3e

    • SHA512

      b0da19409b05460fc1c2461c1b400b56aa045584bbebc504f703c66cd394ecdc67a623b3394e3f8e9c16ac5222228207129768de214e455f5d95e0882fbbf687

    • SSDEEP

      24576:A7GWB7+31+uvrsHIuj6Zo/ba9HKdNcJp+54Bq2mH6:mTocu9HocJkqH/

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks