General
-
Target
Ziraat Bankasi Swift mesaji, pdf.exe
-
Size
712KB
-
Sample
250211-hm57gszkcx
-
MD5
8385ee9c22daa8baca8a30a28c1964d5
-
SHA1
1c27e0bf25e7593ebc2ee640d1d7bd7e62f286c1
-
SHA256
b286b238bf84860b09efb3f0b89b48c01e35ff7746999b6286b9ce0d0af3a48d
-
SHA512
9ea9009fdd910a6105a9e7a9fc2cf297726ad774fae8db913b9d23f59dc86b3d7507a17ddc24b0071f2e24d03e6ef72b8475cadf36acb89657915112b8dc0ddd
-
SSDEEP
12288:hoaovT2lPK7Jl/7rs2Wb8ilcI5eY/ujxNbL2qSgTovljZGY7XbgsxZkWU4uvYfIi:Y2BKzjY2WHt5fAxx2qSgTadzx
Malware Config
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.puragenicindia.com/ - Port:
21 - Username:
[email protected] - Password:
bobbyj2016@2025
Targets
-
-
Target
Ziraat Bankasi Swift mesaji, pdf.exe
-
Size
712KB
-
MD5
8385ee9c22daa8baca8a30a28c1964d5
-
SHA1
1c27e0bf25e7593ebc2ee640d1d7bd7e62f286c1
-
SHA256
b286b238bf84860b09efb3f0b89b48c01e35ff7746999b6286b9ce0d0af3a48d
-
SHA512
9ea9009fdd910a6105a9e7a9fc2cf297726ad774fae8db913b9d23f59dc86b3d7507a17ddc24b0071f2e24d03e6ef72b8475cadf36acb89657915112b8dc0ddd
-
SSDEEP
12288:hoaovT2lPK7Jl/7rs2Wb8ilcI5eY/ujxNbL2qSgTovljZGY7XbgsxZkWU4uvYfIi:Y2BKzjY2WHt5fAxx2qSgTadzx
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-