General

  • Target

    47f122f668c4791cf3795a7c76e7f3682283bae4efd499d200bd80cc164b8948.exe

  • Size

    983KB

  • Sample

    241129-dr6xcs1rhx

  • MD5

    aa90694a5cc7243dd249a056818a80ea

  • SHA1

    aea0366ac02f19c0ea79053eb51f52f1949ea413

  • SHA256

    47f122f668c4791cf3795a7c76e7f3682283bae4efd499d200bd80cc164b8948

  • SHA512

    6c63e8a1eedd35fc22329554e1fabbf4cd6a5e3715a285941387ed9aba363b69c15cd102c441b06d1ea761525b62f188eb686b7778387d3f1e8b8ed5657087a8

  • SSDEEP

    24576:Wtb20pkaCqT5TBWgNQ7a/ri1qXiYiU96A:DVg5tQ7a/ri1PYiI5

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7578088265:AAHvd5E9MBWeIBV2JVvDWdTRg0KYKBSK8MM/sendMessage?chat_id=7365454061

Targets

    • Target

      47f122f668c4791cf3795a7c76e7f3682283bae4efd499d200bd80cc164b8948.exe

    • Size

      983KB

    • MD5

      aa90694a5cc7243dd249a056818a80ea

    • SHA1

      aea0366ac02f19c0ea79053eb51f52f1949ea413

    • SHA256

      47f122f668c4791cf3795a7c76e7f3682283bae4efd499d200bd80cc164b8948

    • SHA512

      6c63e8a1eedd35fc22329554e1fabbf4cd6a5e3715a285941387ed9aba363b69c15cd102c441b06d1ea761525b62f188eb686b7778387d3f1e8b8ed5657087a8

    • SSDEEP

      24576:Wtb20pkaCqT5TBWgNQ7a/ri1qXiYiU96A:DVg5tQ7a/ri1PYiI5

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks