2021-08-10 Snake Keylogger IOCs

1. THREAT ATTRIBUTION: SNAKE KEYLOGGER
2.  
3. SUBJECTS OBSERVED
4. (RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES-TWO WAREHOUSES AND OTHERS - MARJAN INCREMENT PROGRAM TANAJIB GAS PLANT PROJECT - PACKAGES 09 AND 11
5.  
6. SENDERS OBSERVED
7. [email protected]
8.  
9. MALDOC FILE HASHES
10. (RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.IMG
11. cc2bcba266b5fa7bccaf7592df6c1837
12.  
13. SNAKE KEYLOGGER PAYLOAD FILE HASHES
14. (RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe
15. 519f9833658acf4cbfc0139b990f1411
16.  
17. STOLEN DATA EXFILTRATED VIA EMAIL TO:
18. us2.smtp.mailhostbox.com:587
19.  
20. EXFILTRATION EMAIL ADDRESSES
21. From: [email protected]
22. To: [email protected]
23.  
24. STRINGS IN MEMORY FOR MSBUILD.EXE
25. 0x419ba1 (56): https://api.telegram.org/bot
26. 0x419ce8 (52): http://checkip.dyndns.org/
27. 0x419dd8 (52): https://freegeoip.app/xml/
28.  
29. SUPPORTING EVIDENCE
30. https://www.virustotal.com/gui/file/5e38e3d0a442ea94f31e31b53084f904ab45661dc50c9abec49c0a016dea64a4/detection
31.