General
-
Target
DHL_1012617429350,pdf.exe
-
Size
230KB
-
Sample
211019-kce9esgcgk
-
MD5
5cab111e16c4473b848206291ddb2668
-
SHA1
64bb159114230467d5c56e9041e9270d2c2615f2
-
SHA256
4b64ebe81e55e2ed6e6317f516851fa1b52a3b94a7f139a61234aed6bcb97da2
-
SHA512
f2ac18a0a9f74580055ea60a4ffe54b664b10f1c89b31d6f92a59f0a27710bff874870dba412f0a1743aaf46721aa6ab51276729aeb3613dbd9b225a946b49a6
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.tecnotrip.xyz - Port:
587 - Username:
[email protected] - Password:
hcRRNyX6
Targets
-
-
Target
DHL_1012617429350,pdf.exe
-
Size
230KB
-
MD5
5cab111e16c4473b848206291ddb2668
-
SHA1
64bb159114230467d5c56e9041e9270d2c2615f2
-
SHA256
4b64ebe81e55e2ed6e6317f516851fa1b52a3b94a7f139a61234aed6bcb97da2
-
SHA512
f2ac18a0a9f74580055ea60a4ffe54b664b10f1c89b31d6f92a59f0a27710bff874870dba412f0a1743aaf46721aa6ab51276729aeb3613dbd9b225a946b49a6
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-