General
-
Target
PO031656.exe
-
Size
896KB
-
Sample
210622-f2hc57aq7s
-
MD5
8b351752b1721536fb923560f4a12f69
-
SHA1
fe9e5cf16d15177781dfdee64f937fbb80d0b32e
-
SHA256
bef8873a0b223b7f3d49854b3de46890b6f3363eadedf395a768b05b87c93d5f
-
SHA512
7a10954d2723021ac617c6f5b62c3f0b6aedf8be1cae4c5c5e30d413523e80be3ef4a68593d31c8b36fca4313c72a948dfaa80bcd1dbb74f2861681d7275dfdc
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
nicolas.sautter@chsauter-bc.com - Password:
111aaa
Targets
-
-
Target
PO031656.exe
-
Size
896KB
-
MD5
8b351752b1721536fb923560f4a12f69
-
SHA1
fe9e5cf16d15177781dfdee64f937fbb80d0b32e
-
SHA256
bef8873a0b223b7f3d49854b3de46890b6f3363eadedf395a768b05b87c93d5f
-
SHA512
7a10954d2723021ac617c6f5b62c3f0b6aedf8be1cae4c5c5e30d413523e80be3ef4a68593d31c8b36fca4313c72a948dfaa80bcd1dbb74f2861681d7275dfdc
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-