General

  • Target

    5101a8d9f469c881b484d5e308c99802bdafdab686d20702fac5081755af7fcc

  • Size

    326KB

  • Sample

    241208-d4zntavrbr

  • MD5

    18a92fea5a92a1e1ac9dc64b1e2617bd

  • SHA1

    c2727341e6e79db551719d3dbdf28452dc5af037

  • SHA256

    5101a8d9f469c881b484d5e308c99802bdafdab686d20702fac5081755af7fcc

  • SHA512

    e6f3f125f171bdd5c7a7bc312c3ef3b9a55a46dd18c472fa77f7da398f923dd056cbb2a4f13250b05e0321d23d39c0a8e5607ed3c2521c1f8acd4c6e4b418c56

  • SSDEEP

    6144:YVFR5eh3eyjTWHEXP7ZBTlN7oUcKal6fIHMgbq0hj5p6SkVP1x0XD/OBOsJpH:YHRoh7P9BZNkUcKa6pb0BH6SkvLoMpH

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7634300667:AAElS97UnedbkmPEFHxIY0TyKl484PsrjZY/sendMessage?chat_id=2135869667

Targets

    • Target

      Vessel Particulars.exe

    • Size

      540KB

    • MD5

      aca1506ec2fc90d9bd56cbbe91bd6386

    • SHA1

      d2b443e927e57d8481fd6ddc5c7722d423815a9b

    • SHA256

      da35f06d5f83c958940b5816901f091a1725f9af4398d94e7347550cf56be86b

    • SHA512

      4e7af171c7ca0eb32616e53e63e59d41bda62e52ea801c8e005e8cc8d9f08cbb5aa59ea5203688efaf53a0e1d2c91a64a6cba225481f6a36ba08d4f96454f956

    • SSDEEP

      12288:YiU+RfWk1Sm5bp+4yZXfcKa6Io24RPlA24:Yi3fWxIbc4yZ0xoDf

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks