General
-
Target
Order _ 08201450.doc
-
Size
49KB
-
Sample
210722-9v7vhkl2nn
-
MD5
e79a3eff7afad1baf05d316eabe8bf90
-
SHA1
420291ec39d86c8442aac0d447a107cdcac9a4ef
-
SHA256
5287078230313c9bc74e5f6230b3c017c085eb389ed674547eabfb32d90ee018
-
SHA512
a0feb30bfd42801115165fc8cbf731807f2747cdaa4ccab80b7e6b7f68c24d02684506a0c7d2d7f5d1ee172af612bea8ae1e2e92ad39ec5b72cd5575c121031a
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
bh-16.webhostbox.net - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Targets
-
-
Target
Order _ 08201450.doc
-
Size
49KB
-
MD5
e79a3eff7afad1baf05d316eabe8bf90
-
SHA1
420291ec39d86c8442aac0d447a107cdcac9a4ef
-
SHA256
5287078230313c9bc74e5f6230b3c017c085eb389ed674547eabfb32d90ee018
-
SHA512
a0feb30bfd42801115165fc8cbf731807f2747cdaa4ccab80b7e6b7f68c24d02684506a0c7d2d7f5d1ee172af612bea8ae1e2e92ad39ec5b72cd5575c121031a
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-