Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO.exe

  • Size

    46KB

  • Sample

    211019-j415jagcer

  • MD5

    e1691792a224589da073a634cf6e890c

  • SHA1

    3813c44eedb4e6056bc678323735b025cf080922

  • SHA256

    2ce55f36ec8460c1273af1411d76c3af53a3861974d66b6a168218e6af7431e4

  • SHA512

    0dfd5c51f7ef77097ff4810727eaf904d5ef1eb2b5ac32ed0ac6a2fa6f25b22ab9e28fba91f37e80bbf9aaa76b7f52405ec5538332e238f1996502598fedad7c

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.live.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    happyhome123456

Targets

    • Target

      PO.exe

    • Size

      46KB

    • MD5

      e1691792a224589da073a634cf6e890c

    • SHA1

      3813c44eedb4e6056bc678323735b025cf080922

    • SHA256

      2ce55f36ec8460c1273af1411d76c3af53a3861974d66b6a168218e6af7431e4

    • SHA512

      0dfd5c51f7ef77097ff4810727eaf904d5ef1eb2b5ac32ed0ac6a2fa6f25b22ab9e28fba91f37e80bbf9aaa76b7f52405ec5538332e238f1996502598fedad7c

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks