General
-
Target
PR-250116 CI, PL, AGLC2501021 SUR BL.exe
-
Size
612KB
-
Sample
250217-k71hvaxnhw
-
MD5
8a67b7c17273ba3a932aa9efaeed4689
-
SHA1
726a7774525cf246338ef98f26cd4c70450aea3e
-
SHA256
6c9bfc38f2dd0b8e0ff1ae18e0286fd13cc7f27dfadace3a6663ae53ef3c1ed0
-
SHA512
d8d239f832388c6faa32901149757bb481be4304db5c0192d876d4453cdad925662331eadf2b738e86f98d0ea3be517c3f3a19834af8039019339b3409f186eb
-
SSDEEP
12288:bxgmHugv1lqu5+hQBgJwKH7uYnFzJPaXXR+dR3JcK3Tc5R5v/Xs:t935+hzbfF8XXR+dR3JR3W/
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7905871292:AAHB1RJykyMoiHYER8WPqlFb1I5BK36XdbY/sendMessage?chat_id=986310232
Targets
-
-
Target
PR-250116 CI, PL, AGLC2501021 SUR BL.exe
-
Size
612KB
-
MD5
8a67b7c17273ba3a932aa9efaeed4689
-
SHA1
726a7774525cf246338ef98f26cd4c70450aea3e
-
SHA256
6c9bfc38f2dd0b8e0ff1ae18e0286fd13cc7f27dfadace3a6663ae53ef3c1ed0
-
SHA512
d8d239f832388c6faa32901149757bb481be4304db5c0192d876d4453cdad925662331eadf2b738e86f98d0ea3be517c3f3a19834af8039019339b3409f186eb
-
SSDEEP
12288:bxgmHugv1lqu5+hQBgJwKH7uYnFzJPaXXR+dR3JcK3Tc5R5v/Xs:t935+hzbfF8XXR+dR3JR3W/
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1