General
-
Target
PO-20210420.zip
-
Size
741KB
-
Sample
210422-fbfar6hky2
-
MD5
609d38c0908dd52b9a518ced1c75dd5c
-
SHA1
5bb6756bcf7fdafacc8f0a9f8de7df83f74a488d
-
SHA256
3a16d9865825143e0057c45f70a11f80461f200314a70108a48ab9b683d58a92
-
SHA512
9fee8f3faa362346d361cd91f96984930fdad8ecaae2f590c1b5632fe7a0c9d613fd07ac88407610431c871492f3b1fbf03a5db8f1f76fcc409e1bf9cbb84a9f
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.cleo2solutions.com.au - Port:
587 - Username:
accounts@cleo2solutions.com.au - Password:
Enter@222
Targets
-
-
Target
Qr6TGA9mxOLh8uw.exe
-
Size
861KB
-
MD5
75e3ac98d0f0de52a1b12331aee1beab
-
SHA1
b22e781f5ee36d425e482f55c34c2f7e97ce5b1f
-
SHA256
76b6d7a1e7b29d60a460a07a4059b40cde01d0c04ae0c32a5149230f43833f4e
-
SHA512
0fc09192caeb4f228333fcf3cad83ad9abce45985339f67b1d0dde0748cd0382a1ef8703e5713e84b6e856d94306a24dfac287cfe1ceed6aa18406305d904a53
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-