Overview

overview

10

Static

static

3

new contract.exe

windows7-x64

10

new contract.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c2cea2c500b0bf93e0af89d6cf07f46586b44d86613d331c0079c1eef108674e.zip

  • Size

    283KB

  • Sample

    240627-bz8ptaydlm

  • MD5

    ff22bd074de4662376a16b19f8cb2ff8

  • SHA1

    1f736d7525b82d4a109ff46dc2e7abd19978845b

  • SHA256

    c2cea2c500b0bf93e0af89d6cf07f46586b44d86613d331c0079c1eef108674e

  • SHA512

    d76a1e260c4e16bcc7ccb96913856ef5ff173e2bfcf4a6b0870f770648d7ade91972e347b790b8b2f69d44143d91e4ea1da0662f431c57310683c8fa7f8b16c9

  • SSDEEP

    6144:u+Yrhl4wHQf8Eoxvu5Ii8+9HyB3bnn4lV+RgME6c1WLM:u+iUIQf8Jxvyw+9eTqUgIc1W4

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    webmail.valleycountysar.org
  • Port:
    465
  • Username:
    [email protected]
  • Password:
    DKw(r0%wpbd]
C2

https://api.telegram.org/bot6812788177:AAHJ7__ozL0XtBMeO1hcjgFB8ECV3bh5yjg/sendMessage?chat_id=5007084465

Targets

    • Target

      new contract.exe

    • Size

      521KB

    • MD5

      a62161fb37a0da7fbfb3913ce4aecb2c

    • SHA1

      2d994e85cf444c5b784d55a52c676b9773b27758

    • SHA256

      f2101696ff6fb8e2171fe666df358500c675246fcbdf4620fe2961be8e5fb316

    • SHA512

      bc08e560c8cc81c3cce3e2f33d3991e87fc27e4e5473fdb149698cad34a9c7dfbb47e75fdce2e263a0385368090e8a99eeec61a9666f1058b91ba802c966da4c

    • SSDEEP

      12288:c5kndm17d93IfLZS9oOarFK+Wbi1vk6i:HngZ7IfLZSR3/bGs6i

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks