General

  • Target

    a1691d6ed11886675a6470ca097d0456af5105b731c8b6083e41d440aafdb2df

  • Size

    609KB

  • Sample

    241128-zvgbrszrbx

  • MD5

    c860fbf23aeda1d924875530abd1333c

  • SHA1

    f5608d48aca738d8b10f4fa37696160fa0bc7cd1

  • SHA256

    a1691d6ed11886675a6470ca097d0456af5105b731c8b6083e41d440aafdb2df

  • SHA512

    a4b154ebc3e068ab9e06c4fb164a3beab27e2b22e590c34675425cd3f7484f40f1a99eb30d0cd71ca76f4f9736bcf540d81fb71b54fa09a63ba8c6f77d224fa9

  • SSDEEP

    12288:aWNw9mR8VtJU/FThfndBOhBbTEl1Bl14T1xYoQsRgFBtwE64nc8+Xyj16LT:aWNEaTNr2k1mhBcLCuiXOk

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7778964135:AAGwyiOaaqks3s5KrOkXWmxcGXjj3R5nqBY/sendMessage?chat_id=5600682828

Targets

    • Target

      SWIFT DEL BANCO ....pdf.exe

    • Size

      703KB

    • MD5

      081ca4270f480233f8cc4a2cf6b33937

    • SHA1

      e6bb74aa87a11648efd7db06e3b8abc028ba65b5

    • SHA256

      e57f34e78fdce24981c1d9e6a40f686f9cf734e2a9d9e851ae47bba9d0f56dbf

    • SHA512

      5fc8737eaea950de3c533ef4684ae03568dcbf587650e54aee23f2318e49db1b6486cdcdef73fe4b68d6ea1511fe398f583c501c5d4cad32ff89a9a62023711e

    • SSDEEP

      12288:4so1zGksv+SGjpA3yKUUo6a8fZhfXvJOha5zZglTfHnGTHxYYQ0rgF9xqq6wwBPU:01zGUxjuZxx3dCT+DbsXkJ43x

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks