General

  • Target

    9e41871b948b229ab4a4574e2b4cd3c300485663c2ca1b0cb9ab7c72ecff203c.arj

  • Size

    500KB

  • Sample

    241129-eb6r4ayqen

  • MD5

    d35e1d09690c4961868535ae71976ea6

  • SHA1

    5cbed981e9e91b10ea9d430911cae89a44563bd1

  • SHA256

    9e41871b948b229ab4a4574e2b4cd3c300485663c2ca1b0cb9ab7c72ecff203c

  • SHA512

    ee6746caf9f7e76286a657ef490b99db45eb453ead0fdf33f13b0d53ae1f7bab10269ef99da4590dc339a463f15c5502b66309b66e5e1268fea83a505624d07d

  • SSDEEP

    12288:Hz/gucrKdBtGO+7javShJv4U0SlusFs4p3aJDqwhjKRcITHU:HzI9reJ+7hw644IJDHjmU

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7525931722:AAHv5VReYz4Tdv44qTVu1nWYViZknndh3TU/sendMessage?chat_id=7361435574

Targets

    • Target

      FATURA.exe

    • Size

      996KB

    • MD5

      f643d0ec3aaba77a445b1aa1c739a950

    • SHA1

      595437518041ca8664eadfda9cc27ae854b21f9c

    • SHA256

      61b26d074e24a041f6e63e815dea5337b13e128d50dd47b5e45c94873806d9d5

    • SHA512

      1959f947c2dcff170bc6173683ba84cf7863835d589cafe24c45545f5a0eb6020fc7e37438abfd692a95b29dadb160f86d49cae1254a7c298bf4aa192ce74080

    • SSDEEP

      12288:Wtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaaTwgqpH86x6A:Wtb20pkaCqT5TBWgNQ7aqwgqB86x6A

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks