General

  • Target

    6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e

  • Size

    548KB

  • Sample

    241120-l1w3hsvnhy

  • MD5

    8148bbdcbec9dd84bdf7089fae43ce62

  • SHA1

    58cbab87c2cbbe8c54f88089d33526409732f6ad

  • SHA256

    6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e

  • SHA512

    5384f00aa68195c0954dfffe7e23c5761a1c5e1673ab89908dfe0f2f29cd80fdd3d4f10efffeeabc1d7a55f8d6c617b553223c42ce2d5eaaf71a47659d9384fe

  • SSDEEP

    12288:HD7go7VIG3k0MOdkrUC85KbIvXP5LWNSRwHbn+EgXkCkyg:HDEo7V/F5daB5bIvf5LiHb+xkCkn

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    50.31.176.103
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    #MT#mn!6V!@6

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://50.31.176.103/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    #MT#mn!6V!@6

Targets

    • Target

      6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e

    • Size

      548KB

    • MD5

      8148bbdcbec9dd84bdf7089fae43ce62

    • SHA1

      58cbab87c2cbbe8c54f88089d33526409732f6ad

    • SHA256

      6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e

    • SHA512

      5384f00aa68195c0954dfffe7e23c5761a1c5e1673ab89908dfe0f2f29cd80fdd3d4f10efffeeabc1d7a55f8d6c617b553223c42ce2d5eaaf71a47659d9384fe

    • SSDEEP

      12288:HD7go7VIG3k0MOdkrUC85KbIvXP5LWNSRwHbn+EgXkCkyg:HDEo7V/F5daB5bIvf5LiHb+xkCkn

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks