General
-
Target
TT Transmitted Copy TRVTT2127468.exe
-
Size
819KB
-
Sample
210727-2pklegj8va
-
MD5
427992e6cc9f399060c003ae46389403
-
SHA1
07cfcd1b19481ddf586f4b84a1d4a6aef2da722a
-
SHA256
c441b0de54cee442566129507b4f3f0dbcbe6eb42ff24936c6e180a3d93fcdb0
-
SHA512
2465b2f96899603b6473d193bdc6a4b449ec9040dba12a9842da0d5e12e2cfd5b6d6a97a5725c41062d6d5e9be6f123354863ed030041a5531337426c30b9fdd
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
admin@evapimlogs.com - Password:
BkKMmzZ1
Targets
-
-
Target
TT Transmitted Copy TRVTT2127468.exe
-
Size
819KB
-
MD5
427992e6cc9f399060c003ae46389403
-
SHA1
07cfcd1b19481ddf586f4b84a1d4a6aef2da722a
-
SHA256
c441b0de54cee442566129507b4f3f0dbcbe6eb42ff24936c6e180a3d93fcdb0
-
SHA512
2465b2f96899603b6473d193bdc6a4b449ec9040dba12a9842da0d5e12e2cfd5b6d6a97a5725c41062d6d5e9be6f123354863ed030041a5531337426c30b9fdd
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-