General
-
Target
IMG_50_78_63.xls
-
Size
167KB
-
Sample
210414-d7asnnvf2s
-
MD5
4c9d3db50cd58ec12305d904d2354f00
-
SHA1
b0a4028da497f94c3d00f0c44a60b40fc369d5bc
-
SHA256
fa0e9c96ef83963d0ab05d58302b13ac57356aed411562c71ef1812066e8ac97
-
SHA512
744fa49552e1cca5a0dc71da06d55f61a4f3380b61974e9306cfc79e91909169261b96e6ee3cc844df2e5e3354771e0468259f3522e21950e35397f0f9fb1a1e
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
nobettwo.xyz - Port:
587 - Username:
folks@nobettwo.xyz - Password:
[FY$nv_Hp[H7
Targets
-
-
Target
IMG_50_78_63.xls
-
Size
167KB
-
MD5
4c9d3db50cd58ec12305d904d2354f00
-
SHA1
b0a4028da497f94c3d00f0c44a60b40fc369d5bc
-
SHA256
fa0e9c96ef83963d0ab05d58302b13ac57356aed411562c71ef1812066e8ac97
-
SHA512
744fa49552e1cca5a0dc71da06d55f61a4f3380b61974e9306cfc79e91909169261b96e6ee3cc844df2e5e3354771e0468259f3522e21950e35397f0f9fb1a1e
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-