Overview

overview

10

Static

static

3

Medisave O...27.exe

windows7-x64

10

Medisave O...27.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

8d144.dll

windows7-x64

1

8d144.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16334d583f283283426deeae30d96926_JaffaCakes118

  • Size

    746KB

  • Sample

    240627-qycnbawemq

  • MD5

    16334d583f283283426deeae30d96926

  • SHA1

    7c0510feac969d8110b7eb9ad867fcd2db1f1360

  • SHA256

    346838cb6803df92a264b5f355b5a5f6de79dd3c6bb61b26187cd86df96d44ac

  • SHA512

    740b43084864b7f2802e877657146770b73b2ed0617566097d04693865ba9f7d1fd3f9212b056b07d59cedb1a39e220dc4004c1b49513e0f746e68479c529e19

  • SSDEEP

    12288:ZiDH1gDKcFRdrZjtE4rByjrhw6ct8NCmdyfwasqipKO29c:0gDKcFRdrF240jW3tsdyRipKO29c

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1253930875:AAHtgtSce_nZyxAmWaCL8F3TRro9rp-ilvI/sendMessage?chat_id=1323227338

Targets

    • Target

      Medisave Order 180827.exe

    • Size

      684KB

    • MD5

      33a761dbe5930c762f7f88f7d733a7fe

    • SHA1

      886c6d95005d2d5e9b2b9cb3f994826e49ba512e

    • SHA256

      9fb198089a3815b1b5ead8e5c11c087a92aa37769e3ab9fc3d09646557743d14

    • SHA512

      1f2488e3350451b77fe8abbeca5589d2ac4558b582dbaaddac16f2dc89cda6a4d00fcb2d4b287ab13cd0dbcab11fdb598a21aec1c524cc65ea56f6bc1596e67f

    • SSDEEP

      12288:NiDH1gDKcFRdrZjtE4rByjrhw6ct8NCmdyfwasqipKO29cX:QgDKcFRdrF240jW3tsdyRipKO29cX

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral3behavioral4

    • Target

      8d144.dll

    • Size

      10KB

    • MD5

      fcaca1b9ad5fe0bfed523839d37ecf27

    • SHA1

      66fdce05606bc861b42fec41b0505668ac21defe

    • SHA256

      3f36bb6084f358696601a687bee93c006bdbb4155a16603ad350d83093a94417

    • SHA512

      41b2144eef175e61a9dc417dd8556f653268584ef82c44132b2d505f00dad488dffce370beffeabf322ecf8cfa3cdad6f80b7f3fab8e0a29941aafe77e9c564c

    • SSDEEP

      192:WLk0vuR9jECxj2EFlr9fKxGxWifbv32LZgEJ:WHGbjdp2KrhKIUizv32LZ

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks