General

  • Target

    19ced3f729d628d8b5b44c4f5c508349ece2cf5a730ea8ea893f931b5325b336.exe

  • Size

    1.1MB

  • Sample

    241105-qkhbms1ldw

  • MD5

    43723b5f3929b4f27f20a1bef23d7382

  • SHA1

    97b115fafd165021ef7f2c8476a79c9843200f49

  • SHA256

    19ced3f729d628d8b5b44c4f5c508349ece2cf5a730ea8ea893f931b5325b336

  • SHA512

    c68e6edb9902127c03d93c524a62785d4f05ddc91bbba111f47a1f973a262100eb85675a7c6b56b9478256c41e03f75d5f3c2f9c2d4d9b724cb4a4e4f2c141a5

  • SSDEEP

    24576:ffmMv6Ckr7Mny5QLUgmGiA48NoTgLTTXZ92uufOCRi:f3v+7/5QLU5GiA4fkzXZguuTRi

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7952998151:AAFh98iY7kaOlHAR0qftD3ZcqGbQm0TXbBY/sendMessage?chat_id=5692813672

Targets

    • Target

      19ced3f729d628d8b5b44c4f5c508349ece2cf5a730ea8ea893f931b5325b336.exe

    • Size

      1.1MB

    • MD5

      43723b5f3929b4f27f20a1bef23d7382

    • SHA1

      97b115fafd165021ef7f2c8476a79c9843200f49

    • SHA256

      19ced3f729d628d8b5b44c4f5c508349ece2cf5a730ea8ea893f931b5325b336

    • SHA512

      c68e6edb9902127c03d93c524a62785d4f05ddc91bbba111f47a1f973a262100eb85675a7c6b56b9478256c41e03f75d5f3c2f9c2d4d9b724cb4a4e4f2c141a5

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLUgmGiA48NoTgLTTXZ92uufOCRi:f3v+7/5QLU5GiA4fkzXZguuTRi

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks