General

  • Target

    499cf5d857866301dfc24c03d532badc1e18c40c86e87ee56dfbb4b4d2ae4896.exe

  • Size

    3.6MB

  • Sample

    241210-c5qlvs1law

  • MD5

    6d63f97b52c80f9d4f04deb80e15a892

  • SHA1

    62a6e30c24499511b8c44b7948f83af5ac17959e

  • SHA256

    499cf5d857866301dfc24c03d532badc1e18c40c86e87ee56dfbb4b4d2ae4896

  • SHA512

    8b7a76aaada8785560d90669911c2c526ec92b8c28ae12a347e7da76663cb0ccdba772a40e2ddf2e55014c0c216faabb3dd09243587e537e6da445e435bb7f2a

  • SSDEEP

    49152:NQbvhYL9wpkzrk7UHlt796h+16eUMTycWaX/Ngvv1VlHIPIV/CdQvJuJ44wPcbER:NF9wpkzrv/XUMmczWvnlo0KSj5L1Ln9

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      499cf5d857866301dfc24c03d532badc1e18c40c86e87ee56dfbb4b4d2ae4896.exe

    • Size

      3.6MB

    • MD5

      6d63f97b52c80f9d4f04deb80e15a892

    • SHA1

      62a6e30c24499511b8c44b7948f83af5ac17959e

    • SHA256

      499cf5d857866301dfc24c03d532badc1e18c40c86e87ee56dfbb4b4d2ae4896

    • SHA512

      8b7a76aaada8785560d90669911c2c526ec92b8c28ae12a347e7da76663cb0ccdba772a40e2ddf2e55014c0c216faabb3dd09243587e537e6da445e435bb7f2a

    • SSDEEP

      49152:NQbvhYL9wpkzrk7UHlt796h+16eUMTycWaX/Ngvv1VlHIPIV/CdQvJuJ44wPcbER:NF9wpkzrv/XUMmczWvnlo0KSj5L1Ln9

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks