General

  • Target

    Payment Confirmation..docm

  • Size

    15KB

  • Sample

    241209-s1b6nsxleq

  • MD5

    5b539c1cf933b4b4158552ce25f708e1

  • SHA1

    8b322500fa186ca8f6e2fe0494214ad2b527d8d0

  • SHA256

    12d47f62ed1f5d60193a3a3099873286365c15dc6bf9df17aa250e1f7660c36c

  • SHA512

    66296c5eaec5ab37c920780d0906082e808cde8a99c4cf1802c2d8013b722c324cf345e7af9fe8f971b100ae0d4326c3717eebe80cda1fe8715b6369af5c3f0a

  • SSDEEP

    384:/imtLGAcgqN+v6+iAn0i13LHHOXv+iT3eZaakbM:/LL9cgqa3rv13jOXGiT3i

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Payment Confirmation..docm

    • Size

      15KB

    • MD5

      5b539c1cf933b4b4158552ce25f708e1

    • SHA1

      8b322500fa186ca8f6e2fe0494214ad2b527d8d0

    • SHA256

      12d47f62ed1f5d60193a3a3099873286365c15dc6bf9df17aa250e1f7660c36c

    • SHA512

      66296c5eaec5ab37c920780d0906082e808cde8a99c4cf1802c2d8013b722c324cf345e7af9fe8f971b100ae0d4326c3717eebe80cda1fe8715b6369af5c3f0a

    • SSDEEP

      384:/imtLGAcgqN+v6+iAn0i13LHHOXv+iT3eZaakbM:/LL9cgqa3rv13jOXGiT3i

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks