General

  • Target

    f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa.exe

  • Size

    774KB

  • Sample

    241106-rs1cvs1hpf

  • MD5

    35a14ec5e93e8606051d692c0510b4b2

  • SHA1

    58ffd63f713bf54c45237f3012cc92f624966376

  • SHA256

    f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

  • SHA512

    a2d1173236b20a717d9ea402fd29540ce9ac002d49421d8343c34e7e63d5fcd8c9a3419ed130c677ac380b0a571cb7db23d6601cee19cc321045c0c035795c3c

  • SSDEEP

    12288:tPVXv0yQ9TUH2pKvC7oh/dDVJnvpeBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDs:NnnHLC2dfvpk5yRQLvf81BV2m6ionDu3

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.tumteks.com
  • Port:
    587
  • Username:
    info@tumteks.com
  • Password:
    Tt36556300Ss.
  • Email To:
    doggyvirus02@yandex.com

Targets

    • Target

      f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa.exe

    • Size

      774KB

    • MD5

      35a14ec5e93e8606051d692c0510b4b2

    • SHA1

      58ffd63f713bf54c45237f3012cc92f624966376

    • SHA256

      f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

    • SHA512

      a2d1173236b20a717d9ea402fd29540ce9ac002d49421d8343c34e7e63d5fcd8c9a3419ed130c677ac380b0a571cb7db23d6601cee19cc321045c0c035795c3c

    • SSDEEP

      12288:tPVXv0yQ9TUH2pKvC7oh/dDVJnvpeBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDs:NnnHLC2dfvpk5yRQLvf81BV2m6ionDu3

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Saccate/Chiriguano.Ski

    • Size

      51KB

    • MD5

      6c30e6cb99e14b8e5446a9a5726167ed

    • SHA1

      01d799ef731cf409d29a51696fd3380b296f8730

    • SHA256

      3a0443fe99e0be036a5747d6c6a4a0202f5f55ffb8a338af90f829d8bbf5d5f6

    • SHA512

      39358a6fa774429954c0a599f55685608220eabeef19b6c9be1040169b65577d51c9306d537a248779a79b092e820fef7e9ee4f256297434c3677be7f75b8696

    • SSDEEP

      1536:kVpjFOKIF51+UTMIKwoQTOxBrlGtGfZWShL+m:sFO1FChNBg5EL+m

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.