Overview

overview

10

Static

static

3

Contract.exe

windows7-x64

10

Contract.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78a49948453033607b17b96dc3a1b7822fde729025fb29ee50e7978fc287dd8e

  • Size

    584KB

  • Sample

    250115-ny7gkstlgj

  • MD5

    2b4f5187f245962863bc3fda32097626

  • SHA1

    8087c1c0b1976668e8b48f822bcffebc68588db5

  • SHA256

    78a49948453033607b17b96dc3a1b7822fde729025fb29ee50e7978fc287dd8e

  • SHA512

    57f23087d859f68fcf64a004123b0861a1f9cb10fdbaf28e4c8eb64e6f335a2f68796dc70accf99d3ae29f4cea1371faa7dc4412e514f8efb17f96af5d20d321

  • SSDEEP

    12288:bWgLSSp5irTnD5nSmZKJFQP3qLOtxoyQPZDAuUGkOEFE3FpIE5ZvBn/XmW:agOSSH5Sm7/qsKyQP1UdHFK0ENn/h

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.murchisonspice.co.za
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    accounts786q#

Targets

    • Target

      Contract.exe

    • Size

      687KB

    • MD5

      e1889e7a749a3039492b8c87207f94d6

    • SHA1

      fdfc2777d9f4ffe47302dfcd85e73dc43fabae07

    • SHA256

      1161e839e699bfd8e0065f6b6e3b1c76be8cb56d6c9db918e5fe8e454cb8d56c

    • SHA512

      a141994c80731ec3d425cbfb21c284af682675d6a8aed2da7a7fa5bba85740b5f8e8cb2e2ce4c3a6493ce7c9c755058019279aa7092545e356f50a820336962a

    • SSDEEP

      12288:BFoJNhQ/cWS7stsLbol3BUZKJU499O4NZqD7LtYhxiOkogG/TW:BCJN+UVsa/ol3Se99hNZqD72xiOko/T

    Score
    10/10
    snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks