General

  • Target

    c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29

  • Size

    620KB

  • Sample

    241119-nd61bavmfy

  • MD5

    8f6d690e119684b1629d41f97b83fb23

  • SHA1

    46efdb7ae7079a781723d75e390431aa4c6080e5

  • SHA256

    c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29

  • SHA512

    aa25c86da804170e08f3e4d5d64d7d07007bee539b26b27bc39476de4f99fca8fc0d7eaa3854556d004217982ab36c83f8f15bb21cbf1ffcc382edd911631d9c

  • SSDEEP

    12288:bMVmiWX9OeYHC89ljwRbfWwtODSyaAXd1mA1Ak6OsgSb4VqU+H4o5zBFtyakR:gTONYHFvjwRzCxXd1mvOsH6eYoLy5

Malware Config

Targets

    • Target

      c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29

    • Size

      620KB

    • MD5

      8f6d690e119684b1629d41f97b83fb23

    • SHA1

      46efdb7ae7079a781723d75e390431aa4c6080e5

    • SHA256

      c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29

    • SHA512

      aa25c86da804170e08f3e4d5d64d7d07007bee539b26b27bc39476de4f99fca8fc0d7eaa3854556d004217982ab36c83f8f15bb21cbf1ffcc382edd911631d9c

    • SSDEEP

      12288:bMVmiWX9OeYHC89ljwRbfWwtODSyaAXd1mA1Ak6OsgSb4VqU+H4o5zBFtyakR:gTONYHFvjwRzCxXd1mvOsH6eYoLy5

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks