General

  • Target

    22390016593_20210618_14375054_HesapOzeti.pdf.exe

  • Size

    922KB

  • Sample

    241024-vh2pqaycnj

  • MD5

    27e278b3f081e2912b69eafe4e67d551

  • SHA1

    a003df37c0d214dba9bbc8b041852354a43e00d7

  • SHA256

    c9c4df8ccf2d7149cf5c6ad5e630e5b8385ba3e8ec6d3cbf31d362abb57671b5

  • SHA512

    b912042baa589c99ee1f424b6c8e199ef9fe69f5678b0e40aed0e9820cce6d06364cfd51248a30a373d5c49198390d8e98cdd7e389ff8672d618f3b77ae60924

  • SSDEEP

    12288:dLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QWmqzbe7cJN+yt1AyPD2BRax2S:hfmMv6Ckr7Mny5QWmkC4JozkyB4x2S

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7754092182:AAFhYG1ixwJ3gbkMI8P9ofyeJ8nQ3W5NoAU/sendMessage?chat_id=6008123474

Targets

    • Target

      22390016593_20210618_14375054_HesapOzeti.pdf.exe

    • Size

      922KB

    • MD5

      27e278b3f081e2912b69eafe4e67d551

    • SHA1

      a003df37c0d214dba9bbc8b041852354a43e00d7

    • SHA256

      c9c4df8ccf2d7149cf5c6ad5e630e5b8385ba3e8ec6d3cbf31d362abb57671b5

    • SHA512

      b912042baa589c99ee1f424b6c8e199ef9fe69f5678b0e40aed0e9820cce6d06364cfd51248a30a373d5c49198390d8e98cdd7e389ff8672d618f3b77ae60924

    • SSDEEP

      12288:dLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QWmqzbe7cJN+yt1AyPD2BRax2S:hfmMv6Ckr7Mny5QWmkC4JozkyB4x2S

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks