General

  • Target

    38299e6b012a2f115beb9a7ea095e1579770d209fceb12d81ddcbd3d3ca720c3.exe

  • Size

    573KB

  • Sample

    241207-c15j8a1mfv

  • MD5

    7029c7a9053ebd5221a77e5b625998ff

  • SHA1

    7d43c8995aa88dcd47feeb8e6d02137032fb7e0e

  • SHA256

    38299e6b012a2f115beb9a7ea095e1579770d209fceb12d81ddcbd3d3ca720c3

  • SHA512

    472dd3f2692d94f4398c01b99809cf2d7bd0aa8f08e8d848e4bf6e127d2954dd461515c952066eba6bb3cb9ea01a2b03776656013904315e7af1784c503dadd6

  • SSDEEP

    12288:APGWjVCnvGcorjIBieSdlCOnHRATsKwDHwMkR:2VUefjOzwggWjuHw7

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      38299e6b012a2f115beb9a7ea095e1579770d209fceb12d81ddcbd3d3ca720c3.exe

    • Size

      573KB

    • MD5

      7029c7a9053ebd5221a77e5b625998ff

    • SHA1

      7d43c8995aa88dcd47feeb8e6d02137032fb7e0e

    • SHA256

      38299e6b012a2f115beb9a7ea095e1579770d209fceb12d81ddcbd3d3ca720c3

    • SHA512

      472dd3f2692d94f4398c01b99809cf2d7bd0aa8f08e8d848e4bf6e127d2954dd461515c952066eba6bb3cb9ea01a2b03776656013904315e7af1784c503dadd6

    • SSDEEP

      12288:APGWjVCnvGcorjIBieSdlCOnHRATsKwDHwMkR:2VUefjOzwggWjuHw7

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks