General

  • Target

    a6273ca99ae2b4151febe90ac335b05b1d918e3a4e3a5b7da1fcd504be4c758e.rar

  • Size

    638B

  • Sample

    241129-edkmmsyrdj

  • MD5

    f1144511a96c94fe9426e849b5be031b

  • SHA1

    c447bd4345b9c643d6376615636531d310fd82af

  • SHA256

    a6273ca99ae2b4151febe90ac335b05b1d918e3a4e3a5b7da1fcd504be4c758e

  • SHA512

    cd606b98596b1b50a0bd8501e89ccec8ba00f259921875bdcb3d4400e3e7abcc4d45f711ebc131cce9b2fbb14880574d06d63ffee14997b81288975867f1896f

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    evqqlnwkcmogylje

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Bukti-Transfer.vbe

    • Size

      9KB

    • MD5

      3a62dc625d7dd22fd4c2aba6e7058dd4

    • SHA1

      2b264827a034a913128d9fb362a3b789005ba4f0

    • SHA256

      895e3a8a58ca8d0b65bdb92d181ea4ebd53b479872e75c7455e892b58149cb38

    • SHA512

      0872c46046e565a8d0866e95a57a7dd1d9a86e3f17eba48901ffc2d913c598c2b44b4d285c508ade8446ba64de44b00d9baa74a72b59cda506ea58f711145b7f

    • SSDEEP

      192:FbmzV2nbm3m6G53Vm6z22m6THZKmQmjFm6TH8Mjm8bDmDj02IbmHKmvFnbmVFxVx:ZFbUIyKLK0LBrqPG

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks