General
-
Target
Qr6TGA9mxOLh8uw.exe
-
Size
861KB
-
Sample
210422-zxn5n5n5tx
-
MD5
75e3ac98d0f0de52a1b12331aee1beab
-
SHA1
b22e781f5ee36d425e482f55c34c2f7e97ce5b1f
-
SHA256
76b6d7a1e7b29d60a460a07a4059b40cde01d0c04ae0c32a5149230f43833f4e
-
SHA512
0fc09192caeb4f228333fcf3cad83ad9abce45985339f67b1d0dde0748cd0382a1ef8703e5713e84b6e856d94306a24dfac287cfe1ceed6aa18406305d904a53
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.cleo2solutions.com.au - Port:
587 - Username:
accounts@cleo2solutions.com.au - Password:
Enter@222
Targets
-
-
Target
Qr6TGA9mxOLh8uw.exe
-
Size
861KB
-
MD5
75e3ac98d0f0de52a1b12331aee1beab
-
SHA1
b22e781f5ee36d425e482f55c34c2f7e97ce5b1f
-
SHA256
76b6d7a1e7b29d60a460a07a4059b40cde01d0c04ae0c32a5149230f43833f4e
-
SHA512
0fc09192caeb4f228333fcf3cad83ad9abce45985339f67b1d0dde0748cd0382a1ef8703e5713e84b6e856d94306a24dfac287cfe1ceed6aa18406305d904a53
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-