General

  • Target

    3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5.exe

  • Size

    666KB

  • Sample

    241105-c5lmxasfqe

  • MD5

    e5581411ae1315c19c0ac9e517f62ab9

  • SHA1

    13c7fed727d29b0415ef046cd8f19b146ebb7703

  • SHA256

    3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5

  • SHA512

    2d672d16bbf59d727176a3c5d932e27ee09984ebbe49ced58bf99f766a825388900b802dc21327d9df05167a4ca37b42fc52414ab48a04253d09cf38801bf2e9

  • SSDEEP

    12288:KM3ZJ8IWeQhfIXvwfTDaulTLNsk91j71zTW5btLBVRhgohA:PShfcvwntJsSj71ze5LL9hA

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7733074716:AAHPqUDZNcrQPzH_G03x5ppIOnkxZuz-Nyk/sendMessage?chat_id=7337843299

Targets

    • Target

      3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5.exe

    • Size

      666KB

    • MD5

      e5581411ae1315c19c0ac9e517f62ab9

    • SHA1

      13c7fed727d29b0415ef046cd8f19b146ebb7703

    • SHA256

      3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5

    • SHA512

      2d672d16bbf59d727176a3c5d932e27ee09984ebbe49ced58bf99f766a825388900b802dc21327d9df05167a4ca37b42fc52414ab48a04253d09cf38801bf2e9

    • SSDEEP

      12288:KM3ZJ8IWeQhfIXvwfTDaulTLNsk91j71zTW5btLBVRhgohA:PShfcvwntJsSj71ze5LL9hA

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks