snakekeylogger | de84fd0917c71e480391b36c110ac301415df6b1feb89eccfc2b507d473ca3ef | Triage

Sharing

General

Target

DHL-NOTIFC47484-PDF.exe
Size

367KB
Sample

211130-hjmwqseagl
MD5

66047000cd0ea6022324ba1182961dc1
SHA1

f89392f7078c5ca44ef163354ca027e6cf76b43f
SHA256

de84fd0917c71e480391b36c110ac301415df6b1feb89eccfc2b507d473ca3ef
SHA512

2029f94c950214d2c06dd6f9b8ab3d93dd0b6197e641f8b43be191f1ed705c301f044a764065836cc98d6f07aa19d6d6442fb9565fd729701b8e8d407b6023f8

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.alroman.com
Port:
587
Username:
customercare@alroman.com
Password:
abc@24638

Targets

- Target
  
  DHL-NOTIFC47484-PDF.exe
- Size
  
  367KB
- MD5
  
  66047000cd0ea6022324ba1182961dc1
- SHA1
  
  f89392f7078c5ca44ef163354ca027e6cf76b43f
- SHA256
  
  de84fd0917c71e480391b36c110ac301415df6b1feb89eccfc2b507d473ca3ef
- SHA512
  
  2029f94c950214d2c06dd6f9b8ab3d93dd0b6197e641f8b43be191f1ed705c301f044a764065836cc98d6f07aa19d6d6442fb9565fd729701b8e8d407b6023f8
Score

10^/10

snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggercollectionkeyloggerstealer

behavioral2

snakekeyloggercollectionkeyloggerstealer