General

  • Target

    73e2cbdbd6ebf0c6fa0a287b375b719b3f576287c7950458d6a75f4e293f7655.exe

  • Size

    1.2MB

  • Sample

    241112-cyz7qasgmb

  • MD5

    d99d18dbd5825f0fddef9063b0afdf9c

  • SHA1

    844a9ea45eec0dc6e5418735dad17fa4c45f589d

  • SHA256

    73e2cbdbd6ebf0c6fa0a287b375b719b3f576287c7950458d6a75f4e293f7655

  • SHA512

    8c75c5c84edc33da74011b7be370061b3b6e3add6daea4f935b9a1eb2336d638160847293b057f9edeed98686e64b5212b851afab6d8d72d9c70166f93c1ccbe

  • SSDEEP

    24576:KqH4yLXhLnk1EhgwluwEAMBVuZh9zwVb1:KqHn2wowEA049zwVb

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8143251474:AAEA0_EQbWwbg-euvwSvaVk0pmsvD34srnA/sendMessage?chat_id=6008123474

Targets

    • Target

      73e2cbdbd6ebf0c6fa0a287b375b719b3f576287c7950458d6a75f4e293f7655.exe

    • Size

      1.2MB

    • MD5

      d99d18dbd5825f0fddef9063b0afdf9c

    • SHA1

      844a9ea45eec0dc6e5418735dad17fa4c45f589d

    • SHA256

      73e2cbdbd6ebf0c6fa0a287b375b719b3f576287c7950458d6a75f4e293f7655

    • SHA512

      8c75c5c84edc33da74011b7be370061b3b6e3add6daea4f935b9a1eb2336d638160847293b057f9edeed98686e64b5212b851afab6d8d72d9c70166f93c1ccbe

    • SSDEEP

      24576:KqH4yLXhLnk1EhgwluwEAMBVuZh9zwVb1:KqHn2wowEA049zwVb

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks