General

  • Target

    df6e05150232b27c424b0e7813487491.exe

  • Size

    357KB

  • Sample

    210618-6nw4gxbc3a

  • MD5

    df6e05150232b27c424b0e7813487491

  • SHA1

    345a18019391a7d530628a55c2f1bd8379ef0ad5

  • SHA256

    52309c4bfd0f4a78a05edff800c412760c488ef60f6709f6f9038dc1f315f17a

  • SHA512

    d60d3fb015a997f52e6a069e427e0544e875ac84c1b48e7468b4e4b4a70df09a4bc7adbd5f8cefa57072df59d964480d99cc5b496750e3c12f4ab92f0c750db9

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    lagardan@yandex.com
  • Password:
    pP!@*&@)555

Targets

    • Target

      df6e05150232b27c424b0e7813487491.exe

    • Size

      357KB

    • MD5

      df6e05150232b27c424b0e7813487491

    • SHA1

      345a18019391a7d530628a55c2f1bd8379ef0ad5

    • SHA256

      52309c4bfd0f4a78a05edff800c412760c488ef60f6709f6f9038dc1f315f17a

    • SHA512

      d60d3fb015a997f52e6a069e427e0544e875ac84c1b48e7468b4e4b4a70df09a4bc7adbd5f8cefa57072df59d964480d99cc5b496750e3c12f4ab92f0c750db9

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks