snakekeylogger | 0cc6f444f52c66cd955fa64184e8784b8ec735a0d8b2f1f4c060532fcd54e9f8 | Triage

Sharing

General

Target

3446b3427eb52e09af7b7424d8bd6dc3
Size

558KB
Sample

211021-klfasaahar
MD5

3446b3427eb52e09af7b7424d8bd6dc3
SHA1

780f36db6bdafed0966c2951e86142b43105f0f2
SHA256

0cc6f444f52c66cd955fa64184e8784b8ec735a0d8b2f1f4c060532fcd54e9f8
SHA512

7596395c37d037bff11dcf9e3f59039602b965c9cd36fedf344ef83dff3cce5c80aec345d4eaee4ecc2b5036b6a34473f7f31d3291d651baeddad762e5c7fbfe

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
budgetn.shop
Port:
587
Username:
founder@budgetn.shop
Password:
eC~Z,TG&S9jM

Targets

- Target
  
  3446b3427eb52e09af7b7424d8bd6dc3
- Size
  
  558KB
- MD5
  
  3446b3427eb52e09af7b7424d8bd6dc3
- SHA1
  
  780f36db6bdafed0966c2951e86142b43105f0f2
- SHA256
  
  0cc6f444f52c66cd955fa64184e8784b8ec735a0d8b2f1f4c060532fcd54e9f8
- SHA512
  
  7596395c37d037bff11dcf9e3f59039602b965c9cd36fedf344ef83dff3cce5c80aec345d4eaee4ecc2b5036b6a34473f7f31d3291d651baeddad762e5c7fbfe
Score

10^/10

snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Executes dropped EXE
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggercollectionkeyloggerstealer

behavioral2

snakekeyloggercollectionkeyloggerstealer