Overview

overview

10

Static

static

IMG_077010168.exe

windows7_x64

10

IMG_077010168.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6372134355763200.zip

  • Size

    356KB

  • Sample

    210615-2x8zylzvgn

  • MD5

    619c56192852e2e10e5ff0cb1c7b6157

  • SHA1

    f23832f088e6fa67fc7e03ae29cf14a4e981124d

  • SHA256

    71297f4b8b220b73eec6251732ae92ace5190d53c027be9bbdf0705b90511235

  • SHA512

    6fcc5df64b40ff1f5dca4b23ff2a99b6daa56da6e9d761b6fcb3aa3262a7156393ffaaf13ad3654e6dfb84aed499459fc770d798e71993f52410e7add6334c0e

Score
10/10
snakekeyloggerkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    duiy.club
  • Port:
    587
  • Username:
    bottle@nobetone.xyz
  • Password:
    B]iRB~567{1

Targets

    • Target

      IMG_077010168.exe

    • Size

      383KB

    • MD5

      7312858cf98a41917a7de7975e11322e

    • SHA1

      9e89b172cf54ae347df7220ff3d08116b48487c1

    • SHA256

      7ee7904969171bddb151071e7b02b14f7f9a560e25ba461c360a3f6b41016df0

    • SHA512

      9dba707097980849c7f706b842c34eb7b38c70d6af62d61ab691f96b9f33645dc651c39b9d6d58786f71cb5279e2b45596d1b7fd7aa4fc0a941efd7e5e382b5f

    Score
    10/10
    snakekeyloggerkeyloggerstealerspyware

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks