General
-
Target
9fd4ccb584b2bd2df91780727e356c86573d52c38bb3dc43f25468123b3e2086.zip
-
Size
502KB
-
Sample
240626-bv7a7aweng
-
MD5
3f23a4f874593c74e4794d0ee6d107b8
-
SHA1
39370d845c08420a423de3259ac1b737f2ce6749
-
SHA256
9fd4ccb584b2bd2df91780727e356c86573d52c38bb3dc43f25468123b3e2086
-
SHA512
3ede9ba5c88b45a114a00e87ac7be2e039446ffb78291ac77ed7c148e0c9c738317c4943ca185298760a0760d0a07033e41c9be64fc65b8a502f45601d0596ff
-
SSDEEP
12288:f05khWh/VcRULdN7yVnmx3zDv/sO9/DP/o4NlQ7pmMD:f0Khq6iyNmx3UO9/z/oqlIpma
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7301432976:AAH31iVg7cEj_CK4xnKcLgyVuIYziQoJStE/sendMessage?chat_id=1182519128
Targets
-
-
Target
LAQ-PO088PDF.exe
-
Size
550KB
-
MD5
93f4ebbd3bc337d1805105550286ebcb
-
SHA1
a5374ff40e11814b0b41398d88bbd8e9d0909012
-
SHA256
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
-
SHA512
e924178dd1dbc9e12582f2f0abc69d30ceca85c8add2fd009e55641d89b641a63cd65198b57949981f4b4005cfc1ea24ba57b1627926aed83bbfcbc4b576d86b
-
SSDEEP
12288:Wz5wtNkLsikaU8HHB7QZ4GXUgKwzDxyq/HEnfp3bonqAE:OLsTziUnfYq/kfpd
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-