Overview

overview

10

Static

static

SOA.exe

windows7_x64

10

SOA.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SOA.rar

  • Size

    306KB

  • Sample

    211022-lpdf2accfq

  • MD5

    6dcfddabfdc6e534cc18afd569654019

  • SHA1

    3e70082b6a2f188dffc3a4e1361caf7625adce14

  • SHA256

    da5845cd0566fd564b190d35a64ea208037c0f6988b0e7dbed9e184028514255

  • SHA512

    b52c3acfa169ec6011720214925c5facf215ad722927022b123bc1447662338e4fead2153112292033b770c88d93bc83ceccaeda4ca2f752c09593ea38e2a43f

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.aninditaeng.net
  • Port:
    587
  • Username:
    admin@aninditaeng.net
  • Password:
    t2weClGi1f~7Elps

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.aninditaeng.net
  • Port:
    587
  • Username:
    admin@aninditaeng.net
  • Password:
    t2weClGi1f~7Elps

Targets

    • Target

      SOA.exe

    • Size

      445KB

    • MD5

      43f6b23871c444e83c21659cdf178432

    • SHA1

      3e36823c8c0559c999751c60108b92c94d1e01bc

    • SHA256

      ccb998b0a850d4c9cd99f43f12abe761606ebb47b2d2f010133825561abe79eb

    • SHA512

      73e84000f6aef2fcaafdbbdbebd55f87fa0bbac22cf63bb661f938a2cd48ed33c6e22e5cc67ff2500e7103a3546abc00af2afaaeaca662b84094c9e61b5d6bf8

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks